Nextcloud Security-Advisories vulnerabilities
259 known vulnerabilities affecting nextcloud/security-advisories.
Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29
Vulnerabilities
Page 13 of 13
CVE-2021-39220P4LOWCVSS 3.5fixed in 1.10.4, < 1.11.02021-10-25
CVE-2021-39220 [LOW] CWE-20 CVE-2021-39220: Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior
Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative protocol. It is recommended that the Nextcloud Mail application is upgraded to 1.10.
nvd
CVE-2022-24886P4LOWCVSS 3.8fixed in 3.19.02022-04-27
CVE-2022-24886 [LOW] CWE-200 CVE-2022-24886: Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In v
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known
nvd
CVE-2024-37314P4LOWCVSS 3.5v>= 25.0.1, < 25.0.7v>= 26.0.0, < 26.0.22024-06-14
CVE-2024-37314 [LOW] CWE-284 CVE-2024-37314: Nextcloud Photos is a photo management app. Users can remove photos from the album of registered use
Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.
nvd
CVE-2021-32680P4LOWCVSS 3.3fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32680 [LOW] CWE-778 CVE-2021-32680: Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.
nvd
CVE-2025-66549P4LOWCVSS 2.7fixed in 3.16.52025-12-05
CVE-2025-66549 [LOW] CWE-209 CVE-2025-66549: Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
nvd
CVE-2025-66546P4LOWCVSS 3.3v>= 6.0.0-rc.1, < 6.0.1v>= 5.0.0-rc.1, < 5.5.6+1 more2025-12-05
CVE-2025-66546 [LOW] CWE-639 CVE-2025-66546: Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.
nvd
CVE-2021-32653P4LOWCVSS 2.7fixed in 19.0.11v>= 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32653 [LOW] CWE-201 CVE-2021-32653: Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior t
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
nvd
CVE-2025-66515P4LOWCVSS 2.7v>= 2.0.0, < 2.5.0fixed in 1.3.12025-12-05
CVE-2025-66515 [LOW] CWE-287 CVE-2025-66515: The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 an
The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.
nvd
CVE-2026-45155P4LOWCVSS 2.6v>= 32.0.0, < 32.0.7v>= 33.0.0, < 33.0.12026-06-01
CVE-2026-45155 [LOW] CWE-639 CVE-2026-45155: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, bu
nvd
CVE-2021-32695P4LOWCVSS 3.3fixed in 3.16.12021-06-17
CVE-2021-32695 [LOW] CWE-200 CVE-2021-32695: Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose the malicious app. The shared preferences contain some l
nvd
CVE-2023-48303P4LOWCVSS 2.7v>= 25.0.0, < 25.0.11v>= 26.0.0, < 26.0.6+1 more2023-11-21
CVE-2023-48303 [LOW] CWE-284 CVE-2023-48303: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, admins can change authentication details of user configured external storage. Nextcloud Server and Nextcloud Enterprise Server versions 25.
nvd
CVE-2026-45154P4LOWCVSS 2.6v>= 2.6.0, < 4.3.02026-06-01
CVE-2026-45154 [LOW] CWE-284 CVE-2026-45154: Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3
Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0.
nvd
CVE-2022-29160P4LOWCVSS 3.3fixed in 3.19.02022-05-20
CVE-2022-29160 [LOW] CWE-284 CVE-2022-29160: Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to
Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There ar
nvd
CVE-2022-41969P4LOWCVSS 2.7fixed in 23.0.11v>= 24.0.0, < 24.0.72022-12-01
CVE-2022-41969 [LOW] CWE-400 CVE-2022-41969: Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.
Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create use
nvd
CVE-2022-35931P4LOWCVSS 2.7v>= 24.0.0, < 24.0.3fixed in 22.2.10+1 more2022-09-06
CVE-2022-35931 [LOW] CWE-261 CVE-2022-35931: Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules fo
Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch fo
nvd
CVE-2023-22473P4LOWCVSS 2.1fixed in 15.0.22023-01-09
CVE-2023-22473 [LOW] CWE-284 CVE-2023-22473: Talk-Android enables users to have video & audio calls through Nextcloud on Android. Due to passcode
Talk-Android enables users to have video & audio calls through Nextcloud on Android. Due to passcode bypass, an attacker is able to access the user's Nextcloud files and view conversations. To exploit this the attacker needs to have physical access to the target's device. There are currently no known workarounds available. It is recommended that the Ne
nvd
CVE-2021-41181P4LOWCVSS 2.4fixed in 12.3.02022-03-08
CVE-2021-41181 [LOW] CWE-200 CVE-2021-41181: Nextcloud talk is a self hosting messaging service. In versions prior to 12.3.0 the Nextcloud Androi
Nextcloud talk is a self hosting messaging service. In versions prior to 12.3.0 the Nextcloud Android Talk application did not properly detect the lockscreen state when a call was incoming. If an attacker got physical access to the locked phone, and the victim received a phone call the attacker could gain access to the chat messages and files of the us
nvd
CVE-2023-28646P4LOWCVSS 2.4v>= 3.7.0, < 3.24.12023-03-30
CVE-2023-28646 [LOW] CWE-281 CVE-2023-28646: Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In ver
Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files.
nvd
CVE-2022-24885P4LOWCVSS 2.4fixed in 3.19.12022-04-27
CVE-2022-24885 [LOW] CWE-287 CVE-2022-24885: Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prio
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.1, users can bypass a lock on the Nextcloud app on an Android device by repeatedly reopening the app. Version 3.19.1 contains a fix for the problem. There are currently no known workarounds.
nvd
← Previous13 / 13