CVE-2025-66549

CWE-2094 documents4 sources

Severity

2.7LOW

EPSS

0.0%

top 89.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Desktop

Timeline

PublishedDec 5

Description

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:NExploitability: 0.9 | Impact: 1.4

Affected Packages3 packages

▶NVDnextcloud/desktop3.0.0 — 3.16.5

▶Debiannextcloud-desktop< 3.16.6-3+1

▶CVEListV5nextcloud/security-advisories< 3.16.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-66549: Nextcloud Desktop is the desktop sync client for Nextcloud↗2025-12-05

▶

CVEList

Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory↗2025-12-05

▶

📋Vendor Advisories

Debian

CVE-2025-66549: nextcloud-desktop - Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, whe...↗2025

▶