Nextcloud Server vulnerabilities
189 known vulnerabilities affecting nextcloud/nextcloud_server.
Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15
Vulnerabilities
Page 6 of 10
CVE-2021-41233P4MEDIUMCVSS 5.3fixed in 20.0.14≥ 21.0.0, < 21.0.6+1 more2022-03-10
CVE-2021-41233 [MEDIUM] CWE-862 CVE-2021-41233: Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Du
Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is
nvd
CVE-2022-39211P4MEDIUMCVSS 5.3fixed in 23.0.8≥ 24.0.0, < 24.0.42022-09-16
CVE-2022-39211 [MEDIUM] CWE-918 CVE-2022-39211: Nextcloud server is an open source personal cloud platform. In affected versions it was found that l
Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There ar
nvd
CVE-2022-39329P4MEDIUMCVSS 5.3fixed in 23.0.9≥ 24.0.0, < 24.0.52022-10-27
CVE-2022-39329 [MEDIUM] CWE-284 CVE-2022-39329: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for thi
nvd
CVE-2022-31118P4MEDIUMCVSS 5.3fixed in 22.2.9≥ 23.0.0, < 23.0.6+1 more2022-08-04
CVE-2022-31118 [MEDIUM] CWE-770 CVE-2022-31118: Nextcloud server is an open source personal cloud solution. In affected versions an attacker could b
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrad
nvd
CVE-2025-59788P4MEDIUMCVSS 5.4≥ 30.0.0, < 30.0.17≥ 31.0.0, < 31.0.10+9 more2025-12-04
CVE-2025-59788 [MEDIUM] CVE-2025-59788: Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextclo
Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to v
nvd
CVE-2024-52521P4MEDIUMCVSS 5.3≥ 28.0.0, < 28.0.10≥ 29.0.0, < 29.0.72024-11-15
CVE-2024-52521 [MEDIUM] CWE-328 CVE-2024-52521: Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jo
Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommende
nvd
CVE-2020-8236P4MEDIUMCVSS 6.8fixed in 19.0.2v19.0.22020-11-02
CVE-2020-8236 [MEDIUM] CWE-287 CVE-2020-8236: A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless Web
A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.
nvd
CVE-2017-0886P4MEDIUMCVSS 6.5fixed in 9.0.55≥ 10.0.0, < 10.0.2+1 more2017-04-05
CVE-2017-0886 [MEDIUM] CWE-674 CVE-2017-0886: Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error i
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.
nvd
CVE-2016-9465P4MEDIUMCVSS 5.4≥ 10.0.0, < 10.0.12017-03-28
CVE-2016-9465 [MEDIUM] CWE-79 CVE-2016-9465: Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in Ca
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site
nvd
CVE-2021-41239P4MEDIUMCVSS 5.3fixed in 20.0.14≥ 21.0.0, < 21.0.6+1 more2022-03-08
CVE-2021-41239 [MEDIUM] CWE-200 CVE-2021-41239: Nextcloud server is a self hosted system designed to provide cloud style services. In affected versi
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded
nvd
CVE-2023-48301P4MEDIUMCVSS 5.4≥ 25.0.0, ≤ 25.0.13≥ 25.0.0, < 25.0.13+4 more2023-11-21
CVE-2023-48301 [MEDIUM] CWE-79 CVE-2023-48301: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, an attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. Nextcloud Server
nvd
CVE-2023-48302P4MEDIUMCVSS 5.4≥ 25.0.0, < 25.0.13≥ 26.0.0, < 26.0.8+1 more2023-11-21
CVE-2023-48302 [MEDIUM] CWE-79 CVE-2023-48302: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, when a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. Nextcloud Server and Ne
nvd
CVE-2023-39959P4MEDIUMCVSS 5.3≥ 25.0.0, < 25.0.9≥ 26.0.0, < 26.0.4+1 more2023-08-10
CVE-2023-39959 [MEDIUM] CWE-284 CVE-2023-39959: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4,
nvd
CVE-2025-64011P4MEDIUMCVSS 4.3v30.0.02025-12-12
CVE-2025-64011 [MEDIUM] CWE-639 CVE-2025-64011: Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/pre
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing perm
nvd
CVE-2016-9466P4MEDIUMCVSS 6.1≥ 10.0.0, < 10.0.12017-03-28
CVE-2016-9466 [MEDIUM] CWE-79 CVE-2016-9466: Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerabilit
nvd
CVE-2016-9459P4MEDIUMCVSS 6.1fixed in 9.0.522017-03-28
CVE-2016-9459 [MEDIUM] CWE-209 CVE-2016-9459: Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vuln
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. Ho
nvd
CVE-2021-32733P4MEDIUMCVSS 6.1fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32733 [MEDIUM] CWE-79 CVE-2021-32733: Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scri
Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped w
nvd
CVE-2018-3776P4MEDIUMCVSS 5.3≥ 11.0.0, < 11.0.5≥ 12.0.0, < 12.0.32018-08-12
CVE-2018-3776 [MEDIUM] CWE-20 CVE-2018-3776: Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.
nvd
CVE-2020-8294P4MEDIUMCVSS 5.4fixed in 18.0.11≥ 19.0.0, < 19.0.5+2 more2021-02-03
CVE-2020-8294 [MEDIUM] CWE-79 CVE-2020-8294: A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a s
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
nvd
CVE-2018-3780P4MEDIUMCVSS 5.4fixed in 13.0.5v>13.0.52018-08-13
CVE-2018-3780 [MEDIUM] CWE-79 CVE-2018-3780: A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could
A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.
nvd