cbcvebase.

Nextcloud Security-Advisories vulnerabilities

259 known vulnerabilities affecting nextcloud/security-advisories.

Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29

Vulnerabilities

Page 1 of 13
CVE-2023-26482P2HIGHCVSS 8.8PoCfixed in 24.0.10v>= 25.0.0, < 25.0.42023-03-30
CVE-2023-26482 [HIGH] CWE-78 CVE-2023-26482: Nextcloud server is an open source home cloud implementation. In affected versions a missing scope v Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due
nvd
CVE-2022-24838P2CRITICALCVSS 9.8fixed in 3.2.22022-04-11
CVE-2022-24838 [CRITICAL] CWE-74 CVE-2022-24838: Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO: ` SMTP command and begin injecting arbitrary SMTP comm
nvd
CVE-2021-32726P3CRITICALCVSS 9.8fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32726 [CRITICAL] CWE-708 CVE-2021-32726: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There a
nvd
CVE-2023-49792P3CRITICALCVSS 9.8v>= 23.0.0, < 23.0.12.13v>= 24.0.0, < 24.0.12.9+3 more2023-12-22
CVE-2023-49792 [CRITICAL] CWE-307 CVE-2023-49792: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Se Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a
nvd
CVE-2021-32688P3HIGHCVSS 8.8fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32688 [HIGH] CWE-285 CVE-2021-32688: Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports applica Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, th
nvd
CVE-2021-32802P3CRITICALCVSS 9.8fixed in 20.0.12v>= 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32802 [CRITICAL] CWE-829 CVE-2021-32802: Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image p Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to
nvd
CVE-2021-32654P3CRITICALCVSS 9.1fixed in 19.0.11v>= 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32654 [CRITICAL] CWE-639 CVE-2021-32654: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.1
nvd
CVE-2023-48306P3CRITICALCVSS 9.8v>= 22.0.0, < 22.2.10.16v>= 23.0.0, < 23.0.12.11+4 more2023-11-21
CVE-2023-48306 [CRITICAL] CWE-918 CVE-2023-48306: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, the DNS pin middlew
nvd
CVE-2024-22212P3CRITICALCVSS 9.8v>= 1.1.0, < 1.4.1v>= 2.0.0, < 2.1.2+2 more2024-01-18
CVE-2024-22212 [CRITICAL] CWE-306 CVE-2024-22212: Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. T
nvd
CVE-2023-30539P3HIGHCVSS 8.8vNextcloud Server: < 24.0.11vNextcloud Server: >= 25.0.0, < 25.0.5+6 more2023-04-17
CVE-2023-30539 [HIGH] CWE-284 CVE-2023-30539: Nextcloud is a personal home server system. Depending on the set up tags and other workflows this is Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enter
nvd
CVE-2021-32800P3HIGHCVSS 8.1fixed in 20.0.12v>= 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32800 [HIGH] CWE-306 CVE-2021-32800: Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4
nvd
CVE-2026-45281P3HIGHCVSS 8.1v>= 32.0.0, < 32.0.9v>= 33.0.0, < 33.0.32026-06-01
CVE-2026-45281 [HIGH] CWE-639 CVE-2026-45281: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of i
nvd
CVE-2022-31132P3CRITICALCVSS 9.8fixed in 1.12.8v>= 1.13.0, < 1.13.62022-08-04
CVE-2022-31132 [CRITICAL] CWE-918 CVE-2022-31132: Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions s Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users
nvd
CVE-2023-35172P3CRITICALCVSS 9.1vNextcloud Server >= 25.0.0, < 25.0.7vNextcloud Server >= 26.0.0, < 26.0.2+6 more2023-06-23
CVE-2023-35172 [CRITICAL] CWE-307 CVE-2023-35172: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.
nvd
CVE-2023-45151P3HIGHCVSS 8.8v>= 25.0.0, < 25.0.8v>= 26.0.0, < 26.0.3+1 more2023-10-16
CVE-2023-45151 [HIGH] CWE-312 CVE-2023-45151: Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. Ther
nvd
CVE-2026-45284P3HIGHCVSS 8.8v>= 1.3.6, < 8.4.02026-06-01
CVE-2026-45284 [HIGH] CWE-284 CVE-2026-45284: Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4 Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.
nvd
CVE-2023-35928P3HIGHCVSS 8.8vNextcloud Enterprise Server >= 19.0.0, < 19.0.13.9vNextcloud Enterprise Server >= 20.0.0.0, < 20.0.14.14+8 more2023-06-23
CVE-2023-35928 [HIGH] CWE-274 CVE-2023-35928: Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In N Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.
nvd
CVE-2026-45545P3HIGHCVSS 8.2v>= 0.7.0, < 0.7.7v>= 0.8.0, < 0.8.10+2 more2026-06-01
CVE-2026-45545 [HIGH] CWE-89 CVE-2026-45545: Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8 Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it i
nvd
CVE-2021-32656P3HIGHCVSS 8.6fixed in 19.0.11v>= 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32656 [HIGH] CWE-284 CVE-2021-32656: Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated shar Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supp
nvd
CVE-2023-28643P3HIGHCVSS 8.8fixed in 24.0.9v>= 25.0.0, < 25.0.32023-03-30
CVE-2023-28643 [HIGH] CWE-706 CVE-2023-28643: Nextcloud server is an open source home cloud implementation. In affected versions when a recipient Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to u
nvd
1 / 13Next →
Nextcloud Security-Advisories vulnerabilities | cvebase