CVE-2025-66548

CWE-1162 documents2 sources

Severity

5.5MEDIUM

EPSS

0.0%

top 96.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Deck

Timeline

PublishedDec 5

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/deck1.14.0 — 1.14.4+2

▶CVEListV5nextcloud/security-advisories< 1.12.7+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Deck app allows to spoof file extensions by using RTLO characters↗2025-12-05

▶