CVE-2025-66556

CWE-639 — Insecure Direct Object Reference2 documents2 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 95.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Talk

Timeline

PublishedDec 5

Description

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/talk20.0.0 — 20.1.8+1

▶CVEListV5nextcloud/security-advisories< 20.1.8+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud talk allows participants to blindly delete poll drafts of other users by ID↗2025-12-05

▶