Nextcloud Security-Advisories vulnerabilities
259 known vulnerabilities affecting nextcloud/security-advisories.
Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29
Vulnerabilities
Page 12 of 13
CVE-2022-39334P4MEDIUMCVSS 4.7fixed in 3.6.12022-11-25
CVE-2022-39334 [MEDIUM] CWE-295 CVE-2022-39334: Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripti
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only.
nvd
CVE-2022-24906P4MEDIUMCVSS 4.3fixed in 1.2.11v>= 1.4.0, < 1.4.6+1 more2022-05-20
CVE-2022-24906 [MEDIUM] CWE-200 CVE-2022-24906: Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello
Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.
nvd
CVE-2023-39961P4MEDIUMCVSS 4.3v>= 24.0.4, < 24.0.12.5v>= 25.0.0, < 25.0.9+2 more2023-08-10
CVE-2023-39961 [MEDIUM] CWE-284 CVE-2023-39961: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4
nvd
CVE-2023-33183P4MEDIUMCVSS 4.3fixed in 3.5.5fixed in 4.2.32023-05-30
CVE-2023-33183 [MEDIUM] CWE-285 CVE-2023-33183: Calendar app for Nextcloud easily sync events from various devices with your Nextcloud. Some interna
Calendar app for Nextcloud easily sync events from various devices with your Nextcloud. Some internal paths of the website are disclosed when the SMTP server is unavailable. It is recommended that the Calendar app is updated to 3.5.5 or 4.2.3
nvd
CVE-2024-52507P4MEDIUMCVSS 4.3v>= 0.3.0, < 0.8.12024-11-15
CVE-2024-52507 [MEDIUM] CWE-639 CVE-2024-52507: Nextcloud Tables allows users to to create tables with individual columns. The information which Tab
Nextcloud Tables allows users to to create tables with individual columns. The information which Table (numeric ID) is shared with which groups and users and the respective permissions was not limited to affected users. It is recommended that the Nextcloud Tables app is upgraded to 0.8.1.
nvd
CVE-2023-45150P4MEDIUMCVSS 4.3v>= 1.0.0, < 4.4.42023-10-16
CVE-2023-45150 [MEDIUM] CWE-400 CVE-2023-45150: Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition
Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition checks the server was trying to validate strings of any length as email addresses even when megabytes of data were provided, eventually making the server busy and unresponsive. It is recommended that the Nextcloud Calendar app is upgraded to 4.4.4. The
nvd
CVE-2021-32694P4MEDIUMCVSS 5.5fixed in 3.15.12021-06-17
CVE-2021-32694 [MEDIUM] CWE-248 CVE-2021-32694: Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
nvd
CVE-2023-23943P4MEDIUMCVSS 4.3v>= 2.0.0, < 2.2.2fixed in 1.15.02023-02-06
CVE-2023-23943 [MEDIUM] CWE-918 CVE-2023-23943: Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP
Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround fo
nvd
CVE-2023-48305P4MEDIUMCVSS 4.4v>= 25.0.0, < 25.0.11v>= 26.0.0, < 26.0.6+1 more2023-11-21
CVE-2023-48305 [MEDIUM] CWE-312 CVE-2023-48305: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, when the log level was set to debug, the user_ldap app logged user passwords in plaintext into the log file. If the log file was then le
nvd
CVE-2021-32658P4MEDIUMCVSS 4.6fixed in 3.16.12021-06-08
CVE-2021-32658 [MEDIUM] CWE-200 CVE-2021-32658: Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a ti
Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It is recommended that the Nextcloud Android App is upgraded to 3.16.1
nvd
CVE-2024-52514P4LOWCVSS 3.5v>= 28.0.0, < 28.0.5v>= 27.0.0, < 27.1.92024-11-15
CVE-2024-52514 [LOW] CWE-284 CVE-2024-52514: Nextcloud Server is a self hosted personal cloud system. After a user received a share with some fil
Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommen
nvd
CVE-2026-45159P4LOWCVSS 3.5v>= 1.15.0, < 1.15.4v>= 1.16.0, < 1.16.3+2 more2026-06-01
CVE-2026-45159 [LOW] CWE-639 CVE-2026-45159: Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1
Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modi
nvd
CVE-2023-49790P4MEDIUMCVSS 4.3fixed in 4.9.22023-12-22
CVE-2023-49790 [MEDIUM] CWE-287 CVE-2023-49790: The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivi
The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. Prior to version 4.9.2, the application can be used without providing the 4 digit PIN code. Nextcloud iOS Files app should be upgraded to 4.9.2 to receive the patch. No known workarounds are available.
nvd
CVE-2021-32655P4LOWCVSS 3.5fixed in 19.0.11v>= 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32655 [LOW] CWE-241 CVE-2021-32655: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected
nvd
CVE-2024-22403P4LOWCVSS 3.7fixed in 28.0.02024-01-18
CVE-2024-22403 [LOW] CWE-613 CVE-2024-22403: Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not ex
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an a
nvd
CVE-2026-45266P4LOWCVSS 3.5fixed in 21.1.10fixed in 22.0.11+1 more2026-06-01
CVE-2026-45266 [LOW] CWE-284 CVE-2026-45266: Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and
Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3.
nvd
CVE-2026-45277P4LOWCVSS 3.3fixed in 2.7.22026-06-01
CVE-2026-45277 [LOW] CWE-200 CVE-2026-45277: Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated us
Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2.
nvd
CVE-2023-22469P4LOWCVSS 3.5fixed in 1.8.22023-01-10
CVE-2023-22469 [LOW] CWE-922 CVE-2023-22469: Deck is a kanban style organization tool aimed at personal planning and project organization for tea
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that
nvd
CVE-2023-28845P4LOWCVSS 3.5v>= 15.0.0, < 15.0.4v>= 14.0.0, < 14.0.92023-03-31
CVE-2023-28845 [LOW] CWE-284 CVE-2023-28845: Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app
Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app does not properly filter access to a conversations member list. As a result an attacker could use this vulnerability to gain information about the members of a Talk conversation, even if they themselves are not members. It is recommended that the Nextclou
nvd
CVE-2024-37887P4LOWCVSS 3.5v>= 27.0.0, < 27.1.10v>= 27.0.0, < 28.0.6+1 more2024-06-14
CVE-2024-37887 [LOW] CWE-284 CVE-2024-37887: Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence
Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.
nvd