Nextcloud Server vulnerabilities
189 known vulnerabilities affecting nextcloud/nextcloud_server.
Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15
Vulnerabilities
Page 4 of 10
CVE-2023-32319P3MEDIUMCVSS 6.5≥ 24.0.0, < 24.0.11≥ 25.0.0, < 25.0.52023-05-26
CVE-2023-32319 [MEDIUM] CWE-307 CVE-2023-32319: Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on
Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26
nvd
CVE-2022-39364P3MEDIUMCVSS 6.5fixed in 23.0.9≥ 24.0.0, < 24.0.52022-10-27
CVE-2022-39364 [MEDIUM] CWE-312 CVE-2022-39364: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Ser
nvd
CVE-2019-15613P3HIGHCVSS 8.0fixed in 15.0.14≥ 16.0.0, < 16.0.7+2 more2020-02-04
CVE-2019-15613 [HIGH] CWE-20 CVE-2019-15613: A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file ext
A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
nvd
CVE-2025-47793P3MEDIUMCVSS 6.5≥ 28.0.0, < 28.0.12≥ 29.0.0, < 29.0.9+1 more2025-05-16
CVE-2025-47793 [MEDIUM] CWE-770 CVE-2025-47793: Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides
Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the
nvd
CVE-2023-28844P3MEDIUMCVSS 6.5≥ 24.0.4, < 24.0.10≥ 25.0.0, < 25.0.42023-03-31
CVE-2023-28844 [MEDIUM] CWE-284 CVE-2023-28844: Nextcloud server is an open source home cloud implementation. In affected versions users that should
Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnera
nvd
CVE-2025-47790P3MEDIUMCVSS 6.4≥ 26.0.0, < 26.0.13.15≥ 27.0.0, < 27.1.11.15+4 more2025-05-16
CVE-2025-47790 [MEDIUM] CWE-287 CVE-2025-47790: Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9,
Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and p
nvd
CVE-2020-8293P4MEDIUMCVSS 6.5fixed in 18.0.11≥ 19.0.0, < 19.0.5+2 more2021-01-26
CVE-2020-8293 [MEDIUM] CWE-400 CVE-2020-8293: A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store
A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.
nvd
CVE-2017-0883P4MEDIUMCVSS 6.4≤ 9.0.54v10.0.2+1 more2017-04-05
CVE-2017-0883 [MEDIUM] CWE-275 CVE-2017-0883: Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS A
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an attacker to edit files in a share despite having only a 'read' permission set
nvd
CVE-2023-25816P4MEDIUMCVSS 6.5≥ 25.0.0, < 25.0.32023-02-25
CVE-2023-25816 [MEDIUM] CWE-400 CVE-2023-25816: Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are
Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available.
nvd
CVE-2024-52520P3MEDIUMCVSS 6.5≥ 27.0.0, < 27.1.11.8≥ 28.0.0, < 28.0.10+1 more2024-11-15
CVE-2024-52520 [MEDIUM] CWE-400 CVE-2024-52520: Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the lin
Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.
nvd
CVE-2024-52517P4MEDIUMCVSS 5.9≥ 25.0.0, < 25.0.13.13≥ 26.0.0, < 26.0.13.9+4 more2024-11-15
CVE-2024-52517 [MEDIUM] CWE-200 CVE-2024-52517: Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the s
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30
nvd
CVE-2022-39346P4MEDIUMCVSS 6.5fixed in 22.2.10≥ 23.0.0, < 23.0.7+1 more2022-11-25
CVE-2022-39346 [MEDIUM] CWE-20 CVE-2022-39346: Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did
Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workaround
nvd
CVE-2021-32678P4MEDIUMCVSS 5.3fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32678 [MEDIUM] CWE-799 CVE-2021-32678: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range
nvd
CVE-2022-24741P4MEDIUMCVSS 6.5≥ 21.0.0, < 21.0.8≥ 22.0.0, < 22.2.4+1 more2022-03-09
CVE-2022-24741 [MEDIUM] CWE-400 CVE-2022-24741: Nextcloud server is an open source, self hosted cloud style services platform. In affected versions
Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade
nvd
CVE-2020-8223P4MEDIUMCVSS 6.5v19.0.0vFixed in 19.0.12020-10-05
CVE-2020-8223 [MEDIUM] CWE-269 CVE-2020-8223: A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to r
A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
nvd
CVE-2019-15621P4MEDIUMCVSS 6.5fixed in 14.0.13≥ 15.0.0, < 15.0.9+2 more2020-02-04
CVE-2019-15621 [MEDIUM] CWE-281 CVE-2019-15621: Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare wi
Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.
nvd
CVE-2023-49791P4MEDIUMCVSS 5.4≥ 23.0.0, < 23.0.12.13≥ 24.0.0, < 24.0.12.9+3 more2023-12-22
CVE-2023-49791 [MEDIUM] CWE-284 CVE-2023-49791: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Se
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they
nvd
CVE-2025-66512P4MEDIUMCVSS 6.1≥ 31.0.0, < 31.0.12≥ 32.0.0, < 32.0.32025-12-05
CVE-2025-66512 [MEDIUM] CWE-80 CVE-2025-66512: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise p
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.
nvd
CVE-2021-32703P4MEDIUMCVSS 5.3fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32703 [MEDIUM] CWE-799 CVE-2021-32703: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
nvd
CVE-2021-32766P4MEDIUMCVSS 5.3fixed in 20.0.12≥ 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32766 [MEDIUM] CWE-209 CVE-2021-32766: Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server
Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case the public link share has been created with "Upload Only" privileges. (ak
nvd