Nextcloud Server vulnerabilities
189 known vulnerabilities affecting nextcloud/nextcloud_server.
Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15
Vulnerabilities
Page 8 of 10
CVE-2025-66552P4MEDIUMCVSS 4.3≥ 30.0.0, < 30.0.9≥ 31.0.0, < 31.0.12025-12-05
CVE-2025-66552 [MEDIUM] CWE-778 CVE-2025-66552: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30
nvd
CVE-2025-66547P4MEDIUMCVSS 4.3≥ 31.0.0, < 31.0.12025-12-05
CVE-2025-66547 [MEDIUM] CWE-639 CVE-2025-66547: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
nvd
CVE-2026-45283P4MEDIUMCVSS 4.3≥ 32.0.0, < 32.0.2≥ 33.0.0, < 33.0.1+1 more2026-06-01
CVE-2026-45283 [MEDIUM] CWE-287 CVE-2026-45283: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting th
nvd
CVE-2016-7419P4MEDIUMCVSS 5.4≤ 9.0.512016-09-17
CVE-2016-7419 [MEDIUM] CWE-79 CVE-2016-7419: Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server b
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.
nvd
CVE-2016-9464P4MEDIUMCVSS 4.3fixed in 9.0.54v10.02017-03-28
CVE-2016-9464 [MEDIUM] CWE-285 CVE-2016-9464: Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper authorization check on removing s
Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper authorization check on removing shares. The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implemen
nvd
CVE-2018-3762P4MEDIUMCVSS 4.3fixed in 12.0.8≥ 13.0.0, < 13.0.3+1 more2018-07-05
CVE-2018-3762 [MEDIUM] CWE-284 CVE-2018-3762: Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for in
Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to.
nvd
CVE-2022-39330P4MEDIUMCVSS 4.3fixed in 23.0.10≥ 24.0.0, < 24.0.62022-10-27
CVE-2022-39330 [MEDIUM] CWE-400 CVE-2022-39330: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server
nvd
CVE-2021-41241P4MEDIUMCVSS 4.3fixed in 20.0.14≥ 21.0.0, < 21.0.6+1 more2022-03-08
CVE-2021-41241 [MEDIUM] CWE-863 CVE-2021-41241: Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders
Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking
nvd
CVE-2024-37315P4MEDIUMCVSS 4.3≥ 23.0.0, ≤ 23.0.12≥ 24.0.0, ≤ 24.0.12+4 more2024-06-14
CVE-2024-37315 [MEDIUM] CWE-284 CVE-2024-37315: Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.1
nvd
CVE-2022-29243P4MEDIUMCVSS 4.3fixed in 22.2.7fixed in 23.0.42022-05-31
CVE-2022-29243 [MEDIUM] CWE-20 CVE-2022-29243: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.
nvd
CVE-2022-29163P4MEDIUMCVSS 4.3fixed in 22.2.6≥ 23.0.0, < 23.0.32022-05-20
CVE-2022-29163 [MEDIUM] CWE-671 CVE-2022-29163: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.6 and 23.0.3, a user can create a link that is not password protected even if the administrator requires links to be password protected. Versions 22.2.6 and 23.0.3 contain a patch for this issue. There are currently no known workar
nvd
CVE-2017-0887P4MEDIUMCVSS 4.3fixed in 9.0.55≥ 10.0.0, < 10.0.2+1 more2017-04-05
CVE-2017-0887 [MEDIUM] CWE-807 CVE-2017-0887: Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.
nvd
CVE-2023-28834P4MEDIUMCVSS 4.3≥ 23.0.0, < 23.0.14≥ 24.0.0, < 24.0.10+1 more2023-04-03
CVE-2023-28834 [MEDIUM] CWE-212 CVE-2023-28834: Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 2
Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server fr
nvd
CVE-2024-52513P4MEDIUMCVSS 4.3≥ 25.0.0, < 25.0.13.13≥ 26.0.0, < 26.0.13.9+4 more2024-11-15
CVE-2024-52513 [MEDIUM] CWE-200 CVE-2024-52513: Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password
Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Se
nvd
CVE-2024-52516P4MEDIUMCVSS 4.3≥ 26.0.0, < 26.0.13.9≥ 27.0.0, < 27.1.11.9+2 more2024-11-15
CVE-2024-52516 [MEDIUM] CWE-269 CVE-2024-52516: Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow s
Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is
nvd
CVE-2022-31014P4LOWCVSS 3.5fixed in 19.0.13.7fixed in 22.2.8+4 more2022-07-05
CVE-2022-31014 [LOW] CWE-74 CVE-2022-31014: Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnera
Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as th
nvd
CVE-2017-0888P4MEDIUMCVSS 4.3v10.0.2vAll versions before 9.0.55 and 10.0.22017-04-05
CVE-2017-0888 [MEDIUM] CWE-451 CVE-2017-0888: Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "file
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.
nvd
CVE-2020-8119P4MEDIUMCVSS 4.3fixed in 15.0.13≥ 16.0.0, < 16.0.6+2 more2020-02-04
CVE-2020-8119 [MEDIUM] CWE-285 CVE-2020-8119: Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-d
Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.
nvd
CVE-2023-45148P4MEDIUMCVSS 4.3≥ 22.0.0, < 22.2.10.16≥ 23.0.0, < 23.0.12.11+4 more2023-10-16
CVE-2023-45148 [MEDIUM] CWE-307 CVE-2023-45148: Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distr
nvd
CVE-2022-24889P4MEDIUMCVSS 4.3fixed in 21.0.8≥ 22.0.0, < 22.2.4+1 more2022-04-27
CVE-2022-24889 [MEDIUM] CWE-345 CVE-2022-24889: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.
nvd