cbcvebase.

Nextcloud Security-Advisories vulnerabilities

259 known vulnerabilities affecting nextcloud/security-advisories.

Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29

Vulnerabilities

Page 5 of 13
CVE-2023-39957P3HIGHCVSS 7.8fixed in 17.0.02023-08-10
CVE-2023-39957 [HIGH] CWE-22 CVE-2023-39957: Nextcloud Talk Android allows users to place video and audio calls through Nextcloud on Android. Pri Nextcloud Talk Android allows users to place video and audio calls through Nextcloud on Android. Prior to version 17.0.0, an unprotected intend allowed malicious third party apps to trick the Talk Android app into writing files outside of its intended cache directory. Nextcloud Talk Android version 17.0.0 has a patch for this issue. No known workaround
nvd
CVE-2021-37617P3HIGHCVSS 7.3v>= 3.0.3 , <= 3.2.42021-08-18
CVE-2021-37617 [HIGH] CWE-426 CVE-2021-37617: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. T The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written b
nvd
CVE-2023-28997P3MEDIUMCVSS 6.5v>= 3.0.0, < 3.6.52023-04-04
CVE-2023-28997 [MEDIUM] CWE-323 CVE-2023-28997: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with ver The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are availabl
nvd
CVE-2025-47793P3MEDIUMCVSS 6.5v>= 30.0.0, < 30.0.2v>= 29.0.0, < 29.0.9+4 more2025-05-16
CVE-2025-47793 [MEDIUM] CWE-770 CVE-2025-47793: Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the
nvd
CVE-2023-28844P3MEDIUMCVSS 6.5v>= 25.0.0, < 25.0.4fixed in 24.0.102023-03-31
CVE-2023-28844 [MEDIUM] CWE-284 CVE-2023-28844: Nextcloud server is an open source home cloud implementation. In affected versions users that should Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnera
nvd
CVE-2023-48308P3MEDIUMCVSS 6.5v>= 3.0.0, < 4.5.32023-12-22
CVE-2023-48308 [MEDIUM] CWE-1258 CVE-2023-48308: Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain access to stacktrace and inter Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain access to stacktrace and internal paths of the server when generating an exception while editing a calendar appointment. It is recommended that the Nextcloud Calendar app is upgraded to 4.5.3
nvd
CVE-2025-47790P3MEDIUMCVSS 6.4v>= 26.0.0, < 26.0.13.15v>= 27.0.0, < 27.1.11.15+4 more2025-05-16
CVE-2025-47790 [MEDIUM] CWE-287 CVE-2025-47790: Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and p
nvd
CVE-2021-37630P4MEDIUMCVSS 6.5fixed in 0.19.15v>= 0.20.0, < 0.20.11+1 more2021-09-07
CVE-2021-37630 [MEDIUM] CWE-639 CVE-2021-37630: Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected ve Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4. There are no wo
nvd
CVE-2024-52511P4MEDIUMCVSS 6.5v>= 0.6.0, < 0.8.02024-11-15
CVE-2024-52511 [MEDIUM] CWE-639 CVE-2024-52511: Nextcloud Tables allows users to to create tables with individual columns. By directly specifying th Nextcloud Tables allows users to to create tables with individual columns. By directly specifying the ID of a table or view, a malicious user could blindly insert new rows into tables they have no access to. It is recommended that the Nextcloud Tables is upgraded to 0.8.0.
nvd
CVE-2025-66511P4MEDIUMCVSS 6.5v>= 6.0.0-rc.1, < 6.0.32025-12-05
CVE-2025-66511 [MEDIUM] CWE-330 CVE-2025-66511: Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates parti Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerab
nvd
CVE-2023-25816P4MEDIUMCVSS 6.5v>= 25.0.0, < 25.0.32023-02-25
CVE-2023-25816 [MEDIUM] CWE-400 CVE-2023-25816: Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available.
nvd
CVE-2024-52520P3MEDIUMCVSS 6.5v>= 28.0.0, < 28.0.10v>= 29.0.0, < 29.0.72024-11-15
CVE-2024-52520 [MEDIUM] CWE-400 CVE-2024-52520: Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the lin Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.
nvd
CVE-2023-29000P4MEDIUMCVSS 6.5v>= 3.0.0, < 3.7.02023-04-04
CVE-2023-29000 [MEDIUM] CWE-295 CVE-2023-29000: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with ver The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixe
nvd
CVE-2024-52517P4MEDIUMCVSS 5.9v>= 28.0.0, < 28.0.11v>= 29.0.0, < 29.0.8+1 more2024-11-15
CVE-2024-52517 [MEDIUM] CWE-200 CVE-2024-52517: Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the s Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30
nvd
CVE-2022-39346P4MEDIUMCVSS 6.5fixed in 22.2.10v>= 23.0.0, < 23.0.7+1 more2022-11-25
CVE-2022-39346 [MEDIUM] CWE-20 CVE-2022-39346: Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workaround
nvd
CVE-2023-22470P4MEDIUMCVSS 6.5v>= 1.6.0, < 1.6.5v>= 1.7.0, < 1.7.3+1 more2023-01-14
CVE-2023-22470 [MEDIUM] CWE-400 CVE-2023-22470: Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organizati Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A database error can be generated potentially causing a DoS when performed multiple times. There are currently no known workarounds. It is recommended that the Nextcloud Server is upgraded to 1.6.5 or 1.7.3 or 1
nvd
CVE-2023-28999P4MEDIUMCVSS 6.4v>= 3.0.0, < 3.8.0v>= 3.13.0, < 3.25.0+1 more2023-04-04
CVE-2023-28999 [MEDIUM] CWE-325 CVE-2023-28999: Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Ne Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This is
nvd
CVE-2024-37312P4MEDIUMCVSS 6.3≤ 1.3.62024-06-14
CVE-2024-37312 [MEDIUM] CWE-284 CVE-2024-37312: user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me e user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0
nvd
CVE-2021-32678P4MEDIUMCVSS 5.3fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32678 [MEDIUM] CWE-799 CVE-2021-32678: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range
nvd
CVE-2025-66550P4MEDIUMCVSS 5.7v>= 5.0.0-rc.1, < 5.2.4fixed in 4.7.172025-12-05
CVE-2025-66550 [MEDIUM] CWE-241 CVE-2025-66550: Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
nvd
Nextcloud Security-Advisories vulnerabilities | cvebase