Nextcloud Security-Advisories vulnerabilities
259 known vulnerabilities affecting nextcloud/security-advisories.
Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29
Vulnerabilities
Page 6 of 13
CVE-2026-45543P4MEDIUMCVSS 5.3v>= 4.3.0, < 5.2.72026-06-01
CVE-2026-45543 [MEDIUM] CWE-552 CVE-2026-45543: Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2
Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.
nvd
CVE-2022-24741P4MEDIUMCVSS 6.5fixed in 21.0.8v>= 22.0.0, < 22.2.4+1 more2022-03-09
CVE-2022-24741 [MEDIUM] CWE-400 CVE-2022-24741: Nextcloud server is an open source, self hosted cloud style services platform. In affected versions
Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade
nvd
CVE-2022-31024P4MEDIUMCVSS 6.5fixed in 4.2.6v>= 5.0.0, < 5.0.42022-06-02
CVE-2022-31024 [MEDIUM] CWE-284 CVE-2022-31024: richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration.
richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarou
nvd
CVE-2023-35173P4MEDIUMCVSS 6.5v>= 1.12.0, < 1.12.42023-06-23
CVE-2023-35173 [MEDIUM] CWE-284 CVE-2023-35173: Nextcloud End-to-end encryption app provides all the necessary APIs to implement End-to-End encrypti
Nextcloud End-to-end encryption app provides all the necessary APIs to implement End-to-End encryption on the client side. By providing an invalid meta data file, an attacker can make previously dropped files inaccessible. It is recommended that the Nextcloud End-to-end encryption app is upgraded to version 1.12.4 that contains the fix.
nvd
CVE-2023-49791P4MEDIUMCVSS 5.4v>= 23.0.0, < 23.0.12.13v>= 24.0.0, < 24.0.12.9+3 more2023-12-22
CVE-2023-49791 [MEDIUM] CWE-284 CVE-2023-49791: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Se
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they
nvd
CVE-2023-28647P4MEDIUMCVSS 6.8fixed in 4.7.02023-03-30
CVE-2023-28647 [MEDIUM] CWE-281 CVE-2023-28647: Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In ve
Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain access to a users files. It is recommended that the Next
nvd
CVE-2022-24887P4MEDIUMCVSS 6.1fixed in 11.3.4fixed in 12.2.2+1 more2022-04-27
CVE-2022-24887 [MEDIUM] CWE-601 CVE-2022-24887: Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platf
Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are cur
nvd
CVE-2023-28998P4MEDIUMCVSS 6.1v>= 3.0.0, < 3.6.52023-04-04
CVE-2023-28998 [MEDIUM] CWE-325 CVE-2023-28998: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with ver
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client
nvd
CVE-2023-23942P4MEDIUMCVSS 6.1fixed in 3.6.32023-02-06
CVE-2023-23942 [MEDIUM] CWE-79 CVE-2023-23942: The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your comput
The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recomm
nvd
CVE-2025-66512P4MEDIUMCVSS 6.1v>= 32.0.0beta1, < 32.0.3fixed in 31.0.122025-12-05
CVE-2025-66512 [MEDIUM] CWE-80 CVE-2025-66512: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise p
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.
nvd
CVE-2026-45278P4MEDIUMCVSS 6.1v>= 6.1.0, < 8.2.22026-06-01
CVE-2026-45278 [MEDIUM] CWE-601 CVE-2026-45278: Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2
Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2.
nvd
CVE-2025-47792P4MEDIUMCVSS 6.1fixed in 3.152025-05-16
CVE-2025-47792 [MEDIUM] CWE-284 CVE-2025-47792: Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior t
Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service. Nextcloud Desktop fixes the issue in version 3.15. No kno
nvd
CVE-2023-25150P4MEDIUMCVSS 5.7fixed in 3.8.7v>= 4.0.0, < 4.2.9+3 more2023-02-08
CVE-2023-25150 [MEDIUM] CWE-284 CVE-2023-25150: Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected vers
Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office Ap
nvd
CVE-2021-32703P4MEDIUMCVSS 5.3fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32703 [MEDIUM] CWE-799 CVE-2021-32703: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
nvd
CVE-2021-32766P4MEDIUMCVSS 5.3fixed in 20.0.12v>= 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32766 [MEDIUM] CWE-209 CVE-2021-32766: Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server
Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case the public link share has been created with "Upload Only" privileges. (ak
nvd
CVE-2023-25162P4MEDIUMCVSS 5.3fixed in 23.0.12v>= 24.0.0, < 24.0.82023-02-13
CVE-2023-25162 [MEDIUM] CWE-918 CVE-2023-25162: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which
nvd
CVE-2024-52518P4MEDIUMCVSS 5.4v>= 28.0.0, < 28.0.12v>= 29.0.0, < 29.0.9+1 more2024-11-15
CVE-2024-52518 [MEDIUM] CWE-287 CVE-2024-52518: Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
nvd
CVE-2024-22402P4MEDIUMCVSS 5.4v>= 2.4.0, < 2.4.1v>= 2.5.0, < 2.5.1+1 more2024-01-18
CVE-2024-22402 [MEDIUM] CWE-281 CVE-2024-22402: Nextcloud guests app is a utility to create guest users which can only see files shared with them. I
Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1
nvd
CVE-2024-37884P4MEDIUMCVSS 5.4v>= 26.0.0, < 26.0.13v>= 27.0.0, < 27.1.8+1 more2024-06-14
CVE-2024-37884 [MEDIUM] CWE-284 CVE-2024-37884: Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete re
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
nvd
CVE-2023-39958P4MEDIUMCVSS 5.3v>= 22.0.0, < 22.2.10.13v>= 23.0.0, < 23.0.12.8+4 more2023-08-10
CVE-2023-39958 [MEDIUM] CWE-307 CVE-2023-39958: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1
nvd