Nextcloud Security-Advisories vulnerabilities
259 known vulnerabilities affecting nextcloud/security-advisories.
Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29
Vulnerabilities
Page 10 of 13
CVE-2025-66545P4MEDIUMCVSS 4.3fixed in 14.0.11v>= 15.0.0-beta1, < 15.3.12+5 more2025-12-05
CVE-2025-66545 [MEDIUM] CWE-707 CVE-2025-66545: Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prio
Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
nvd
CVE-2026-45283P4MEDIUMCVSS 4.3v>= 32.0.0, < 32.0.2v>= 33.0.0, < 33.0.12026-06-01
CVE-2026-45283 [MEDIUM] CWE-287 CVE-2026-45283: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting th
nvd
CVE-2022-41926P4MEDIUMCVSS 5.5fixed in 14.1.02022-11-25
CVE-2022-41926 [MEDIUM] CWE-200 CVE-2022-41926: Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affect
Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.
nvd
CVE-2022-39330P4MEDIUMCVSS 4.3v>= 23.0.0, < 23.0.9v>= 24.0.0, < 24.0.5+1 more2022-10-27
CVE-2022-39330 [MEDIUM] CWE-400 CVE-2022-39330: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server
nvd
CVE-2021-41241P4MEDIUMCVSS 4.3fixed in 20.0.14v>= 21.0.0, < 21.0.6+1 more2022-03-08
CVE-2021-41241 [MEDIUM] CWE-863 CVE-2021-41241: Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders
Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking
nvd
CVE-2024-37315P4MEDIUMCVSS 4.3v>= 26.0.0, < 26.0.12v>= 27.0.0, < 27.1.7+1 more2024-06-14
CVE-2024-37315 [MEDIUM] CWE-284 CVE-2024-37315: Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.1
nvd
CVE-2022-29243P4MEDIUMCVSS 4.3fixed in 22.2.7v>= 23.0.0, < 23.0.42022-05-31
CVE-2022-29243 [MEDIUM] CWE-20 CVE-2022-29243: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.
nvd
CVE-2024-37886P4MEDIUMCVSS 4.7fixed in 1.3.52024-06-14
CVE-2024-37886 [MEDIUM] CWE-347 CVE-2024-37886: user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick t
user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.
nvd
CVE-2021-32707P4MEDIUMCVSS 4.3fixed in 1.9.62021-07-12
CVE-2021-32707 [MEDIUM] CWE-20 CVE-2021-32707: Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail applicati
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there wa
nvd
CVE-2021-32652P4MEDIUMCVSS 4.3fixed in 1.4.3v>= 1.5.5, < 1.8.22021-06-01
CVE-2021-32652 [MEDIUM] CWE-284 CVE-2021-32652: Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mai
Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds other than the patches are known to exist.
nvd
CVE-2022-29163P4MEDIUMCVSS 4.3fixed in 22.2.6v>= 23.0.0, < 23.0.32022-05-20
CVE-2022-29163 [MEDIUM] CWE-671 CVE-2022-29163: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.6 and 23.0.3, a user can create a link that is not password protected even if the administrator requires links to be password protected. Versions 22.2.6 and 23.0.3 contain a patch for this issue. There are currently no known workar
nvd
CVE-2026-45153P4MEDIUMCVSS 4.6v>= 33.0.0, < 33.1.02026-06-01
CVE-2026-45153 [MEDIUM] CWE-287 CVE-2026-45153: Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33
Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.
nvd
CVE-2023-28834P4MEDIUMCVSS 4.3v>= 23.0.0, < 23.0.14v>= 24.0.0, < 24.0.10+1 more2023-04-03
CVE-2023-28834 [MEDIUM] CWE-212 CVE-2023-28834: Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 2
Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server fr
nvd
CVE-2023-26041P4MEDIUMCVSS 4.3fixed in 15.0.32023-02-27
CVE-2023-26041 [MEDIUM] CWE-359 CVE-2023-26041: Nextcloud Talk is a fully on-premises audio/video and chat communication service. When cron jobs wer
Nextcloud Talk is a fully on-premises audio/video and chat communication service. When cron jobs were misconfigured and therefore messages are not expired, the API would still return them while they were then hidden by the frontend code. It is recommended that the Nextcloud Talk is upgraded to 15.0.3. There are no workaround available.
nvd
CVE-2023-30540P4MEDIUMCVSS 4.3v>= 15.0.0, < 15.0.52023-04-17
CVE-2023-30540 [MEDIUM] CWE-200 CVE-2023-30540: Nextcloud Talk is a chat, video & audio call extension for Nextcloud. In affected versions a user th
Nextcloud Talk is a chat, video & audio call extension for Nextcloud. In affected versions a user that was added later to a conversation can use this information to get access to data that was deleted before they were added to the conversation. This issue has been patched in version 15.0.5 and it is recommended that users upgrad to 15.0.5. There are
nvd
CVE-2023-45660P4MEDIUMCVSS 4.3v>= 2.0.0, < 2.2.8v>= 3.0.0, < 3.3.02023-10-16
CVE-2023-45660 [MEDIUM] CWE-918 CVE-2023-45660: Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missin
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerabilit
nvd
CVE-2022-31131P4MEDIUMCVSS 4.3fixed in 1.12.22022-07-06
CVE-2022-31131 [MEDIUM] CWE-287 CVE-2022-31131: Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior
Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. Ther
nvd
CVE-2024-22404P4MEDIUMCVSS 4.3v>= 1.2.0, < 1.2.1v>= 1.3.0, < 1.4.12024-01-18
CVE-2024-22404 [MEDIUM] CWE-281 CVE-2024-22404: Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Next
Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.
nvd
CVE-2024-52513P4MEDIUMCVSS 4.3v>= 28.0.0, < 28.0.11v>= 29.0.0, < 29.0.8+1 more2024-11-15
CVE-2024-52513 [MEDIUM] CWE-200 CVE-2024-52513: Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password
Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Se
nvd
CVE-2023-45149P4MEDIUMCVSS 4.3v>= 15.0.0, < 15.0.8v>= 16.0.0, < 16.0.6+1 more2023-10-16
CVE-2023-45149 [MEDIUM] CWE-307 CVE-2023-45149: Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force
Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1
nvd