CVE-2025-66557

CWE-284 — Improper Access Control2 documents2 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 95.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Deck

Timeline

PublishedDec 5

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDnextcloud/deck1.14.0 — 1.14.6+1

▶CVEListV5nextcloud/security-advisories< 1.14.6+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Deck app allowed user with "Can share" permission to modify permissions of other non-owners↗2025-12-05

▶