cbcvebase.

Nextcloud Security-Advisories vulnerabilities

259 known vulnerabilities affecting nextcloud/security-advisories.

Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29

Vulnerabilities

Page 4 of 13
CVE-2023-39963P3HIGHCVSS 7.8v>= 20.0.0, < 20.0.14.15v>= 21.0.0, < 21.0.9.13+6 more2023-08-10
CVE-2023-39963 [HIGH] CWE-284 CVE-2023-39963: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwo
nvd
CVE-2023-48239P3HIGHCVSS 7.1v>= 25.0.0, < 25.0.13v>= 26.0.0, < 26.0.8+6 more2023-11-21
CVE-2023-48239 [HIGH] CWE-284 CVE-2023-48239: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server,
nvd
CVE-2021-41179P3MEDIUMCVSS 6.5fixed in 20.0.13v>= 21.0.0, < 21.0.5+1 more2021-10-25
CVE-2021-41179 [MEDIUM] CWE-304 CVE-2021-41179: Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 2 Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud T
nvd
CVE-2023-39952P3MEDIUMCVSS 6.5v>= 22.0.0, < 22.2.10.13v>= 23.0.0, < 23.0.12.8+4 more2023-08-10
CVE-2023-39952 [MEDIUM] CWE-284 CVE-2023-39952: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud
nvd
CVE-2024-52515P3MEDIUMCVSS 6.5v>= 29.0.0, < 29.0.1v>= 28.0.0, < 28.0.6+1 more2024-11-15
CVE-2024-52515 [MEDIUM] CWE-706 CVE-2024-52515: Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.
nvd
CVE-2025-58051P3MEDIUMCVSS 6.5v>= 0.7.0, < 0.7.6v>= 0.8.0, < 0.8.8+1 more2025-10-16
CVE-2025-58051 [MEDIUM] CWE-841 CVE-2025-58051: Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, a Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Ta
nvd
CVE-2026-45691P3MEDIUMCVSS 5.9v>= 32.0.0, < 32.0.9v>= 33.0.0, < 33.0.32026-06-01
CVE-2026-45691 [MEDIUM] CWE-287 CVE-2026-45691: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access
nvd
CVE-2023-25818P3HIGHCVSS 7.1v>= 24.0.0, < 24.0.10v>= 25.0.0, < 25.0.42023-03-27
CVE-2023-25818 [HIGH] CWE-307 CVE-2023-25818: Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resou
nvd
CVE-2021-37631P3MEDIUMCVSS 6.5fixed in 1.2.9v>= 1.3.0, < 1.4.4+1 more2021-09-07
CVE-2021-37631 [MEDIUM] CWE-639 CVE-2021-37631: Deck is an open source kanban style organization tool aimed at personal planning and project organiz Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if
nvd
CVE-2021-32689P3MEDIUMCVSS 6.5fixed in 11.2.22021-07-12
CVE-2021-32689 [MEDIUM] CWE-200 CVE-2021-32689: Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and 11.3.0. As a workaround, don't allow users to choose u
nvd
CVE-2026-45157P3MEDIUMCVSS 6.3v>= 32.0.0, < 32.0.9v>= 33.0.0, < 33.0.32026-06-01
CVE-2026-45157 [MEDIUM] CWE-284 CVE-2026-45157: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recomme
nvd
CVE-2023-28644P3HIGHCVSS 7.5v>= 25.0.0, < 25.0.32023-03-30
CVE-2023-28644 [HIGH] CWE-400 CVE-2023-28644: Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch befor Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is upgraded to 25.0.3. There are no known workarounds for this v
nvd
CVE-2026-45810P3MEDIUMCVSS 6.8v>= 31.0.0, < 31.0.12v>= 32.0.0, < 32.0.32026-06-01
CVE-2026-45810 [MEDIUM] CWE-639 CVE-2026-45810: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0
nvd
CVE-2021-32676P3MEDIUMCVSS 6.5fixed in 9.0.10v>= 10.0.0, < 10.0.8+1 more2021-06-16
CVE-2021-32676 [MEDIUM] CWE-384 CVE-2021-32676: Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vu
nvd
CVE-2021-32728P3MEDIUMCVSS 6.5fixed in 3.3.02021-08-18
CVE-2021-32728 [MEDIUM] CWE-295 CVE-2021-32728: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. C The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certific
nvd
CVE-2022-41971P3MEDIUMCVSS 6.5fixed in 12.2.8v>= 13.0.0, < 13.0.10+1 more2022-12-01
CVE-2022-41971 [MEDIUM] CWE-200 CVE-2022-41971: Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8 Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, pro
nvd
CVE-2023-28645P3MEDIUMCVSS 6.5v>= 7.0.0, < 7.0.2fixed in 6.3.22023-03-31
CVE-2023-28645 [MEDIUM] CWE-284 CVE-2023-28645: Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint of the rich documents app. It is recommended that the Nextcloud Office app (richdocuments) is upgraded to 8.0.0-beta.1, 7.0.2 or 6.3
nvd
CVE-2023-32319P3MEDIUMCVSS 6.5v>= 24.0.0, < 24.0.11v>= 25.0.0, < 25.0.52023-05-26
CVE-2023-32319 [MEDIUM] CWE-307 CVE-2023-32319: Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26
nvd
CVE-2023-23944P3MEDIUMCVSS 6.5fixed in 2.2.22023-02-06
CVE-2023-23944 [MEDIUM] CWE-312 CVE-2023-23944: Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 us Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is
nvd
CVE-2022-39364P3MEDIUMCVSS 6.5v < 22.2.10.5v>= 23.0.0, < 23.0.9+1 more2022-10-27
CVE-2022-39364 [MEDIUM] CWE-312 CVE-2022-39364: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Ser
nvd
Nextcloud Security-Advisories vulnerabilities | cvebase