Nextcloud Security-Advisories vulnerabilities
259 known vulnerabilities affecting nextcloud/security-advisories.
Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29
Vulnerabilities
Page 11 of 13
CVE-2024-22401P4MEDIUMCVSS 4.3v>= 2.4.0, < 2.4.1v>= 2.5.0, < 2.5.1+1 more2024-01-18
CVE-2024-22401 [MEDIUM] CWE-281 CVE-2024-22401: Nextcloud guests app is a utility to create guest users which can only see files shared with them. I
Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerabi
nvd
CVE-2022-36075P4MEDIUMCVSS 4.3fixed in 1.12.2v>= 1.13.0, < 1.13.1+1 more2022-09-15
CVE-2022-36075 [MEDIUM] CWE-200 CVE-2022-36075: Nextcloud files access control is a nextcloud app to manage access control for files. Users with lim
Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known work
nvd
CVE-2024-52516P4MEDIUMCVSS 4.3v>= 28.0.0, < 28.0.9v>= 29.0.0, < 29.0.52024-11-15
CVE-2024-52516 [MEDIUM] CWE-269 CVE-2024-52516: Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow s
Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is
nvd
CVE-2022-31014P4LOWCVSS 3.5fixed in 22.2.8v>= 23.0.0, < 23.0.5+1 more2022-07-05
CVE-2022-31014 [LOW] CWE-74 CVE-2022-31014: Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnera
Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as th
nvd
CVE-2024-37883P4MEDIUMCVSS 4.3v>= 1.6.0, < 1.6.6v>= 1.7.0, < 1.7.5+4 more2024-06-14
CVE-2024-37883 [MEDIUM] CWE-284 CVE-2024-37883: Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organizati
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or
nvd
CVE-2025-66557P4MEDIUMCVSS 4.3v>= 1.15.0-beta.1, < 1.15.2fixed in 1.14.62025-12-05
CVE-2025-66557 [MEDIUM] CWE-284 CVE-2025-66557: Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organizati
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
nvd
CVE-2025-66553P4MEDIUMCVSS 4.3v>= 0.9.0-beta.1, < 0.9.4fixed in 0.8.72025-12-05
CVE-2025-66553 [MEDIUM] CWE-639 CVE-2025-66553: Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.
Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.
nvd
CVE-2026-45544P4MEDIUMCVSS 4.3v>= 0.8.0, < 1.0.42026-06-01
CVE-2026-45544 [MEDIUM] CWE-1230 CVE-2026-45544: Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0
Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0.
nvd
CVE-2025-66551P4MEDIUMCVSS 4.3v>= 0.9.0-beta.1, < 0.9.3fixed in 0.8.62025-12-05
CVE-2025-66551 [MEDIUM] CWE-639 CVE-2025-66551: Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.
Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.
nvd
CVE-2024-37316P4MEDIUMCVSS 4.6v>= 4.3.0, < 4.6.8v>= 4.7.0, < 4.7.22024-06-14
CVE-2024-37316 [MEDIUM] CWE-241 CVE-2024-37316: Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with m
Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2.
nvd
CVE-2024-37317P4MEDIUMCVSS 4.6v>= 4.6.0, < 4.9.32024-06-14
CVE-2024-37317 [MEDIUM] CWE-284 CVE-2024-37317: The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed
The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.
nvd
CVE-2022-29159P4MEDIUMCVSS 4.3fixed in 1.4.8v>= 1.5.0, < 1.5.6+1 more2022-05-20
CVE-2022-29159 [MEDIUM] CWE-639 CVE-2022-29159: Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior
Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-kno
nvd
CVE-2022-24890P4MEDIUMCVSS 4.3fixed in 13.0.52022-05-17
CVE-2022-24890 [MEDIUM] CWE-200 CVE-2022-24890: Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and
Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.
nvd
CVE-2023-33182P4MEDIUMCVSS 4.3v>= 4.1.0, < 4.2.4v>= 5.0.0, < 5.0.32023-05-30
CVE-2023-33182 [MEDIUM] CWE-20 CVE-2023-33182: Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.
nvd
CVE-2023-45148P4MEDIUMCVSS 4.3v>= 25.0.0, < 25.0.11v>= 26.0.0, < 26.0.6+1 more2023-10-16
CVE-2023-45148 [MEDIUM] CWE-307 CVE-2023-45148: Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distr
nvd
CVE-2022-24889P4MEDIUMCVSS 4.3fixed in 21.0.8fixed in 22.2.4+1 more2022-04-27
CVE-2022-24889 [MEDIUM] CWE-345 CVE-2022-24889: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.
nvd
CVE-2023-22471P4MEDIUMCVSS 4.3v>= 1.60, < 1.6.5v>= 1.7.0, < 1.7.3+1 more2023-01-14
CVE-2023-22471 [MEDIUM] CWE-639 CVE-2023-22471: Deck is a kanban style organization tool aimed at personal planning and project organization for tea
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Broken access control allows a user to delete attachments of other users. There are currently no known workarounds. It is recommended that the Nextcloud Deck app is upgraded to 1.6.5 or 1.7.3 or 1.8.2.
nvd
CVE-2022-39339P4MEDIUMCVSS 4.3fixed in 1.2.12022-11-25
CVE-2022-39339 [MEDIUM] CWE-319 CVE-2022-39339: user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive info
user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc
nvd
CVE-2025-66558P4MEDIUMCVSS 4.3fixed in 1.4.2v>= 2.0.0-beta.1, < 2.4.12025-12-05
CVE-2025-66558 [MEDIUM] CWE-639 CVE-2025-66558: Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next
nvd
CVE-2025-66556P4MEDIUMCVSS 4.3fixed in 20.1.8v>= 21.0.0-beta.1, < 21.1.22025-12-05
CVE-2025-66556 [MEDIUM] CWE-639 CVE-2025-66556: Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a part
Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.
nvd