Nextcloud Security-Advisories vulnerabilities
259 known vulnerabilities affecting nextcloud/security-advisories.
Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29
Vulnerabilities
Page 2 of 13
CVE-2023-28833P3HIGHCVSS 8.8fixed in 24.0.10v>= 25.0.0, < 25.0.42023-03-30
CVE-2023-28833 [HIGH] CWE-22 CVE-2023-28833: Nextcloud server is an open source home cloud implementation. In affected versions admins of a serve
Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited b
nvd
CVE-2023-48307P3CRITICALCVSS 9.8v>= 1.13.0, < 2.2.8v>= 3.1.0, < 3.3.02023-11-21
CVE-2023-48307 [CRITICAL] CWE-918 CVE-2023-48307: Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in versi
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app.
nvd
CVE-2023-39954P3HIGHCVSS 8.1v>= 1.0.0, < 1.3.32023-08-10
CVE-2023-39954 [HIGH] CWE-311 CVE-2023-39954: user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Start
user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. user_oidc 1.3.3 contains a patch. No known workarounds are availab
nvd
CVE-2021-37628P3HIGHCVSS 7.5fixed in 3.8.4v>= 4.0.0, < 4.2.12021-09-07
CVE-2021-37628 [HIGH] CWE-639 CVE-2021-37628: Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File
Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features ("Upload Only" public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share. It is recommended that the Nextcloud Richdocuments is upgraded to 3.8.4 or
nvd
CVE-2021-32679P3HIGHCVSS 8.8fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32679 [HIGH] CWE-116 CVE-2021-32679: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a b
nvd
CVE-2021-41177P3HIGHCVSS 8.1fixed in 20.0.13v>= 21.0.0, < 21.0.5+1 more2021-10-25
CVE-2021-41177 [HIGH] CWE-799 CVE-2021-41177: Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, a
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache b
nvd
CVE-2021-39225P3HIGHCVSS 8.1fixed in 1.2.9v>= 1.4.0, < 1.4.5+1 more2021-10-25
CVE-2021-39225 [HIGH] CWE-639 CVE-2021-39225: Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcl
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading.
nvd
CVE-2023-35927P3HIGHCVSS 8.1vNextcloud Server >= 25.0.0, < 25.0.7vNextcloud Server >= 26.0.0, < 26.0.2+6 more2023-06-23
CVE-2023-35927 [HIGH] CWE-284 CVE-2023-35927: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p
NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7,
nvd
CVE-2024-52519P3HIGHCVSS 8.2v>= 28.0.0, < 28.0.10v>= 29.0.0, < 29.0.72024-11-15
CVE-2024-52519 [HIGH] CWE-922 CVE-2024-52519: Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a
Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is
nvd
CVE-2026-45156P3HIGHCVSS 8.1v>= 0.3.0, < 3.1.0v>= 5.0.0, < 5.1.0+1 more2026-06-01
CVE-2026-45156 [HIGH] CWE-287 CVE-2026-45156: Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0
Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0.
nvd
CVE-2023-25817P3HIGHCVSS 8.1v>= 24.0.0, < 24.0.92023-03-27
CVE-2023-25817 [HIGH] CWE-281 CVE-2023-25817: Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and befor
Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known wo
nvd
CVE-2024-37882P3HIGHCVSS 8.1v>= 26.0.0, < 26.0.13v>= 27.0.0, < 27.1.8+1 more2024-06-14
CVE-2024-37882 [HIGH] CWE-284 CVE-2024-37882: Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share perm
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.
nvd
CVE-2021-32705P3HIGHCVSS 7.5fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32705 [HIGH] CWE-799 CVE-2021-32705: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known
nvd
CVE-2023-39962P3HIGHCVSS 7.7v>= 19.0.0, < 19.0.13.10v>= 20.0.0, < 20.0.14.15+7 more2023-08-10
CVE-2023-39962 [HIGH] CWE-284 CVE-2023-39962: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well.
nvd
CVE-2023-32074P3CRITICALCVSS 9.8fixed in 1.3.22023-05-25
CVE-2023-32074 [CRITICAL] CWE-307 CVE-2023-32074: user_oidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed
user_oidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed in user_oidc app. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.2
nvd
CVE-2023-39960P3HIGHCVSS 7.5v>= 22.0.0, < 22.2.10.14v>= 23.0.0, < 23.0.12.9+3 more2023-10-13
CVE-2023-39960 [HIGH] CWE-307 CVE-2023-39960: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Se
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the
nvd
CVE-2024-37885P3HIGHCVSS 7.8fixed in 3.12.02024-06-14
CVE-2024-37885 [HIGH] CWE-94 CVE-2024-37885: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.
nvd
CVE-2023-25821P3HIGHCVSS 7.5v>= 24.0.4, < 24.0.7v>= 25.0.0, < 25.0.12023-02-25
CVE-2023-25821 [HIGH] CWE-284 CVE-2023-25821: Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and
Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.
nvd
CVE-2023-32320P3HIGHCVSS 7.5vNextcloud Server >= 25.0.0, < 25.0.7vNextcloud Server >= 26.0.0, < 26.0.2+6 more2023-06-22
CVE-2023-32320 [HIGH] CWE-307 CVE-2023-32320: Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When m
Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel
nvd
CVE-2023-28847P3HIGHCVSS 7.5v >= 23.0.0, < 23.0.12.6v>= 24.0.0, < 24.0.11+1 more2023-04-25
CVE-2023-28847 [HIGH] CWE-307 CVE-2023-28847: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share link
nvd