cbcvebase.

Nextcloud Server vulnerabilities

189 known vulnerabilities affecting nextcloud/nextcloud_server.

Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15

Vulnerabilities

Page 1 of 10
CVE-2023-26482P2HIGHCVSS 8.8PoC≥ 18.0.0, < 20.0.14.12≥ 21.0.0, < 21.0.9.10+4 more2023-03-30
CVE-2023-26482 [HIGH] CWE-78 CVE-2023-26482: Nextcloud server is an open source home cloud implementation. In affected versions a missing scope v Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due
nvd
CVE-2021-32726P3CRITICALCVSS 9.8fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32726 [CRITICAL] CWE-708 CVE-2021-32726: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There a
nvd
CVE-2023-49792P3CRITICALCVSS 9.8≥ 23.0.0, < 23.0.12.13≥ 24.0.0, < 24.0.12.9+3 more2023-12-22
CVE-2023-49792 [CRITICAL] CWE-307 CVE-2023-49792: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Se Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a
nvd
CVE-2021-32688P3HIGHCVSS 8.8fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32688 [HIGH] CWE-285 CVE-2021-32688: Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports applica Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, th
nvd
CVE-2021-32802P3CRITICALCVSS 9.8fixed in 20.0.12≥ 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32802 [CRITICAL] CWE-829 CVE-2021-32802: Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image p Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to
nvd
CVE-2021-32654P3CRITICALCVSS 9.1fixed in 19.0.11≥ 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32654 [CRITICAL] CWE-639 CVE-2021-32654: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.1
nvd
CVE-2016-9463P3HIGHCVSS 8.1fixed in 9.0.54≥ 10.0.0, < 10.0.12017-03-28
CVE-2016-9463 [HIGH] CWE-303 CVE-2016-9463: Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer fr Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB s
nvd
CVE-2018-3775P3HIGHCVSS 8.8fixed in 12.0.32018-08-12
CVE-2018-3775 [HIGH] CWE-287 CVE-2018-3775: Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obt Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication.
nvd
CVE-2023-48306P3CRITICALCVSS 9.8≥ 22.0.0, < 22.2.10.16≥ 23.0.0, < 23.0.12.11+4 more2023-11-21
CVE-2023-48306 [CRITICAL] CWE-918 CVE-2023-48306: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, the DNS pin middlew
nvd
CVE-2023-30539P3HIGHCVSS 8.8≥ 21.0.0, < 21.0.9.11≥ 22.0.0, < 22.2.10.11+3 more2023-04-17
CVE-2023-30539 [HIGH] CWE-284 CVE-2023-30539: Nextcloud is a personal home server system. Depending on the set up tags and other workflows this is Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enter
nvd
CVE-2021-32800P3HIGHCVSS 8.1fixed in 20.0.12≥ 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32800 [HIGH] CWE-306 CVE-2021-32800: Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4
nvd
CVE-2026-45281P3HIGHCVSS 8.1≥ 32.0.0, < 32.0.9≥ 33.0.0, < 33.0.3+11 more2026-06-01
CVE-2026-45281 [HIGH] CWE-639 CVE-2026-45281: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of i
nvd
CVE-2023-35172P3CRITICALCVSS 9.1≥ 21.0.0, < 21.0.9.12≥ 22.0.0, < 22.2.10.12+4 more2023-06-23
CVE-2023-35172 [CRITICAL] CWE-307 CVE-2023-35172: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.
nvd
CVE-2023-45151P3HIGHCVSS 8.8≥ 25.0.0, < 25.0.8≥ 26.0.0, < 26.0.3+1 more2023-10-16
CVE-2023-45151 [HIGH] CWE-312 CVE-2023-45151: Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. Ther
nvd
CVE-2023-35928P3HIGHCVSS 8.8≥ 19.0.0, < 19.0.13.9≥ 20.0.0, < 20.0.14.14+6 more2023-06-23
CVE-2023-35928 [HIGH] CWE-274 CVE-2023-35928: Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In N Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.
nvd
CVE-2021-22915P3CRITICALCVSS 9.8fixed in 19.0.11≥ 20.0.0, < 20.0.10+2 more2021-06-11
CVE-2021-22915 [CRITICAL] CWE-307 CVE-2021-22915: Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
nvd
CVE-2021-32656P3HIGHCVSS 8.6fixed in 19.0.11≥ 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32656 [HIGH] CWE-284 CVE-2021-32656: Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated shar Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supp
nvd
CVE-2023-28643P3HIGHCVSS 8.8≥ 24.0.0, < 24.0.9≥ 25.0.0, < 25.0.32023-03-30
CVE-2023-28643 [HIGH] CWE-706 CVE-2023-28643: Nextcloud server is an open source home cloud implementation. In affected versions when a recipient Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to u
nvd
CVE-2023-28833P3HIGHCVSS 8.8≥ 23.0.0, < 23.0.14≥ 24.0.0, < 24.0.10+1 more2023-03-30
CVE-2023-28833 [HIGH] CWE-22 CVE-2023-28833: Nextcloud server is an open source home cloud implementation. In affected versions admins of a serve Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited b
nvd
CVE-2021-32679P3HIGHCVSS 8.8fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32679 [HIGH] CWE-116 CVE-2021-32679: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a b
nvd
1 / 10Next →
Nextcloud Server vulnerabilities | cvebase