Nextcloud Server vulnerabilities

CVE-2025-64011 [MEDIUM] CWE-639 CVE-2025-64011: Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/pre Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing perm

CVE-2025-66510 [MEDIUM] CWE-359 CVE-2025-66510: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user

CVE-2025-66547 [MEDIUM] CWE-639 CVE-2025-66547: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.

CVE-2025-66512 [MEDIUM] CWE-80 CVE-2025-66512: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.

CVE-2025-66552 [MEDIUM] CWE-778 CVE-2025-66552: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30

CVE-2025-59788 [MEDIUM] CVE-2025-59788: Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextclo Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to v

CVE-2025-47790 [MEDIUM] CWE-287 CVE-2025-47790: Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and p

CVE-2025-47793 [MEDIUM] CWE-770 CVE-2025-47793: Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the

CVE-2025-47794 [LOW] CWE-284 CVE-2025-47794: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0. Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink atta

CVE-2025-47791 [MEDIUM] CWE-918 CVE-2025-47791: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0. Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcl

CVE-2024-52519 [LOW] CWE-922 CVE-2024-52519: Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is

CVE-2024-52525 [LOW] CWE-312 CVE-2024-52525: Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the clear

CVE-2024-52521 [LOW] CWE-328 CVE-2024-52521: Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jo Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended t

CVE-2024-52520 [MEDIUM] CWE-400 CVE-2024-52520: Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the lin Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.

CVE-2024-52517 [MEDIUM] CWE-200 CVE-2024-52517: Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the s Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30

CVE-2024-52523 [MEDIUM] CWE-200 CVE-2024-52523: Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator de Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Ser

CVE-2024-52516 [LOW] CWE-269 CVE-2024-52516: Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow s Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is up

CVE-2024-52518 [MEDIUM] CWE-287 CVE-2024-52518: Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

CVE-2024-52513 [LOW] CWE-200 CVE-2024-52513: Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Serve

CVE-2024-52515 [MEDIUM] CWE-706 CVE-2024-52515: Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.