Nextcloud Server vulnerabilities
189 known vulnerabilities affecting nextcloud/nextcloud_server.
Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15
Vulnerabilities
Page 5 of 10
CVE-2023-25162P4MEDIUMCVSS 5.3fixed in 23.0.12≥ 24.0.0, < 24.0.82023-02-13
CVE-2023-25162 [MEDIUM] CWE-918 CVE-2023-25162: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which
nvd
CVE-2024-52518P4MEDIUMCVSS 5.4≥ 28.0.0, < 28.0.12≥ 29.0.0, < 29.0.9+1 more2024-11-15
CVE-2024-52518 [MEDIUM] CWE-287 CVE-2024-52518: Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
nvd
CVE-2024-37884P4MEDIUMCVSS 5.4≥ 25.0.0, < 25.0.13.7≥ 26.0.0, < 26.0.13+2 more2024-06-14
CVE-2024-37884 [MEDIUM] CWE-284 CVE-2024-37884: Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete re
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
nvd
CVE-2023-39958P4MEDIUMCVSS 5.3≥ 22.0.0, < 22.2.10.14≥ 23.0.0, < 23.0.12.9+4 more2023-08-10
CVE-2023-39958 [MEDIUM] CWE-307 CVE-2023-39958: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1
nvd
CVE-2025-66510P4MEDIUMCVSS 4.9≥ 28.0.0, < 28.0.14.11≥ 29.0.0, < 29.0.16.8+3 more2025-12-05
CVE-2025-66510 [MEDIUM] CWE-359 CVE-2025-66510: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user
nvd
CVE-2020-8296P4MEDIUMCVSS 6.7fixed in 20.0.0vFixed in 20.0.02021-03-03
CVE-2020-8296 [MEDIUM] CWE-257 CVE-2020-8296: Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.
nvd
CVE-2016-9467P4MEDIUMCVSS 5.3fixed in 9.0.54≥ 10.0.0, < 10.0.12017-03-28
CVE-2016-9467 [MEDIUM] CWE-451 CVE-2016-9467: Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from conte
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
nvd
CVE-2019-15623P4MEDIUMCVSS 5.3fixed in 14.0.13≥ 15.0.0, < 15.0.9+2 more2020-02-04
CVE-2019-15623 [MEDIUM] CWE-359 CVE-2019-15623: Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and
Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
nvd
CVE-2018-16464P4MEDIUMCVSS 5.7fixed in 14.0.0v<14.0.02018-10-30
CVE-2018-16464 [MEDIUM] CWE-287 CVE-2018-16464: A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to passwor
A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.
nvd
CVE-2021-32734P4MEDIUMCVSS 5.3fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32734 [MEDIUM] CWE-209 CVE-2021-32734: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3.
nvd
CVE-2021-32741P4MEDIUMCVSS 5.3fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32741 [MEDIUM] CWE-799 CVE-2021-32741: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known
nvd
CVE-2021-32725P4MEDIUMCVSS 5.3fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32725 [MEDIUM] CWE-277 CVE-2021-32725: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
nvd
CVE-2023-25161P4MEDIUMCVSS 5.3fixed in 23.0.12≥ 24.0.0, < 24.0.8+1 more2023-02-13
CVE-2023-25161 [MEDIUM] CWE-284 CVE-2023-25161: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email service
nvd
CVE-2025-47791P4MEDIUMCVSS 5.3≥ 28.0.0, < 28.0.13≥ 29.0.0, < 29.0.10+1 more2025-05-16
CVE-2025-47791 [MEDIUM] CWE-918 CVE-2025-47791: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcl
nvd
CVE-2023-32318P4MEDIUMCVSS 6.7≥ 25.0.2, < 25.0.6v26.0.02023-05-26
CVE-2023-32318 [MEDIUM] CWE-613 CVE-2023-32318: Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Se
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be a
nvd
CVE-2023-35171P4MEDIUMCVSS 6.1≥ 26.0.0, < 26.0.22023-06-23
CVE-2023-35171 [MEDIUM] CWE-601 CVE-2023-35171: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p
NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. Starting in version 26.0.0 and prior to version 26.0.2, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's site. Nextcloud Server and Nextcloud Enterprise Server 26.0.2
nvd
CVE-2016-9468P4MEDIUMCVSS 5.3fixed in 9.0.54≥ 10.0.0, ≤ 10.0.12017-03-28
CVE-2016-9468 [MEDIUM] CWE-451 CVE-2016-9468: Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from conte
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.
nvd
CVE-2017-0936P4MEDIUMCVSS 5.7fixed in 11.0.7v12.0.5+1 more2018-03-28
CVE-2017-0936 [MEDIUM] CWE-639 CVE-2017-0936: Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controll
Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.
nvd
CVE-2018-16467P4MEDIUMCVSS 5.3fixed in 14.0.0v<14.0.02018-10-30
CVE-2018-16467 [MEDIUM] CWE-200 CVE-2018-16467: A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews o
A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.
nvd
CVE-2022-41968P4MEDIUMCVSS 5.3≥ 23.0.0, < 23.0.10≥ 24.0.0, < 24.0.52022-12-01
CVE-2022-41968 [MEDIUM] CWE-400 CVE-2022-41968: Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, cale
Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available.
nvd