Nextcloud Security-Advisories vulnerabilities

CVE-2025-66551 [MEDIUM] CWE-639 CVE-2025-66551: Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0. Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.

CVE-2025-66558 [LOW] CWE-639 CVE-2025-66558: Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2 Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next log

CVE-2025-66554 [LOW] CWE-79 CVE-2025-66554: Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server cod

CVE-2025-66547 [MEDIUM] CWE-639 CVE-2025-66547: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.

CVE-2025-66510 [MEDIUM] CWE-359 CVE-2025-66510: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user

CVE-2025-66511 [MEDIUM] CWE-330 CVE-2025-66511: Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates parti Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerab

CVE-2025-66512 [MEDIUM] CWE-80 CVE-2025-66512: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.

CVE-2025-66552 [MEDIUM] CWE-778 CVE-2025-66552: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30

CVE-2025-66513 [MEDIUM] CWE-639 CVE-2025-66513: Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6 Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.

CVE-2025-66550 [MEDIUM] CWE-241 CVE-2025-66550: Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

CVE-2025-66514 [LOW] CWE-79 CVE-2025-66514: Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

CVE-2025-66553 [MEDIUM] CWE-639 CVE-2025-66553: Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0. Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.

CVE-2025-66556 [LOW] CWE-639 CVE-2025-66556: Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a part Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

CVE-2025-66548 [LOW] CWE-116 CVE-2025-66548: Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organizati Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12

CVE-2025-66545 [LOW] CWE-707 CVE-2025-66545: Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prio Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.

CVE-2025-66557 [MEDIUM] CWE-284 CVE-2025-66557: Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organizati Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.

CVE-2025-66515 [LOW] CWE-287 CVE-2025-66515: The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 an The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

CVE-2025-66549 [LOW] CWE-209 CVE-2025-66549: Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

CVE-2025-66546 [LOW] CWE-639 CVE-2025-66546: Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.

CVE-2025-58051 [MEDIUM] CWE-841 CVE-2025-58051: Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, a Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Ta