cbcvebase.

Nextcloud Security-Advisories vulnerabilities

259 known vulnerabilities affecting nextcloud/security-advisories.

Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29

Vulnerabilities

Page 7 of 13
CVE-2025-66510P4MEDIUMCVSS 4.9v>= 32.0.0beta1, < 32.0.1fixed in 31.0.102025-12-05
CVE-2025-66510 [MEDIUM] CWE-359 CVE-2025-66510: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user
nvd
CVE-2022-39333P4MEDIUMCVSS 6.1fixed in 3.6.12022-11-25
CVE-2022-39333 [MEDIUM] CWE-79 CVE-2022-39333: Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperTex Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
nvd
CVE-2024-52509P4MEDIUMCVSS 5.7v>=2.2.0, < 2.2.10v>= 3.6.0, < 3.6.2+1 more2024-11-15
CVE-2024-52509 [MEDIUM] CWE-284 CVE-2024-52509: Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mai Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgrade
nvd
CVE-2021-32734P4MEDIUMCVSS 5.3fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32734 [MEDIUM] CWE-209 CVE-2021-32734: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3.
nvd
CVE-2021-32741P4MEDIUMCVSS 5.3fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32741 [MEDIUM] CWE-799 CVE-2021-32741: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known
nvd
CVE-2021-32725P4MEDIUMCVSS 5.3fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32725 [MEDIUM] CWE-277 CVE-2021-32725: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
nvd
CVE-2023-25161P4MEDIUMCVSS 5.3v= 25.0.0v>= 24.0.0, < 24.0.8+1 more2023-02-13
CVE-2023-25161 [MEDIUM] CWE-284 CVE-2023-25161: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email service
nvd
CVE-2025-66554P4MEDIUMCVSS 5.4v>= 7.0.0-alpha.1, < 7.2.5v>= 6.0.0-alpha1, < 6.0.6+1 more2025-12-05
CVE-2025-66554 [MEDIUM] CWE-79 CVE-2025-66554: Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server
nvd
CVE-2025-47791P4MEDIUMCVSS 5.3v>= 28.0.0, < 28.0.13v>= 29.0.0, < 29.0.10+1 more2025-05-16
CVE-2025-47791 [MEDIUM] CWE-918 CVE-2025-47791: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0. Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcl
nvd
CVE-2023-32318P4MEDIUMCVSS 6.7v>= 25.0.2, < 25.0.6v>= 26.0.0, < 26.0.12023-05-26
CVE-2023-32318 [MEDIUM] CWE-613 CVE-2023-32318: Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Se Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be a
nvd
CVE-2021-41180P4MEDIUMCVSS 6.1fixed in 12.1.22022-03-08
CVE-2021-41180 [MEDIUM] CWE-601 CVE-2021-41180: Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in an open-redirect, but required user interaction. This only affected users of the Android Talk client. It is recomm
nvd
CVE-2023-35171P4MEDIUMCVSS 6.1v>= 26.0.0, < 26.0.22023-06-23
CVE-2023-35171 [MEDIUM] CWE-601 CVE-2023-35171: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. Starting in version 26.0.0 and prior to version 26.0.2, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's site. Nextcloud Server and Nextcloud Enterprise Server 26.0.2
nvd
CVE-2024-22400P4MEDIUMCVSS 6.1v>= 5.0.0, < 5.1.5v>= 5.2.0, < 5.2.5+1 more2024-01-18
CVE-2024-22400 [MEDIUM] CWE-601 CVE-2024-22400: Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions us Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no known workarounds for this issue.
nvd
CVE-2021-37629P4MEDIUMCVSS 5.3fixed in 3.8.4v>= 4.0.0, < 4.2.12021-09-07
CVE-2021-37629 [MEDIUM] CWE-200 CVE-2021-37629: Nextcloud Richdocuments is an open source collaborative office suite. In affected versions there is Nextcloud Richdocuments is an open source collaborative office suite. In affected versions there is a lack of rate limiting on the Richdocuments OCS endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. It is recommended that the Nextcloud Richdocuments app is upgraded to either 3.8.4 or 4.2.1 to resolve. For users
nvd
CVE-2022-39332P4MEDIUMCVSS 5.4fixed in 3.6.12022-11-25
CVE-2022-39332 [MEDIUM] CWE-79 CVE-2022-39332: Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperTex Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
nvd
CVE-2022-39331P4MEDIUMCVSS 5.4fixed in 3.6.12022-11-25
CVE-2022-39331 [MEDIUM] CWE-79 CVE-2022-39331: Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperTex Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
nvd
CVE-2022-41968P4MEDIUMCVSS 5.3fixed in 23.0.10v>= 24.0.0, < 24.0.52022-12-01
CVE-2022-41968 [MEDIUM] CWE-400 CVE-2022-41968: Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, cale Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available.
nvd
CVE-2021-41233P4MEDIUMCVSS 5.3fixed in 20.0.14v>= 21.0.0, < 21.0.6+1 more2022-03-10
CVE-2021-41233 [MEDIUM] CWE-862 CVE-2021-41233: Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Du Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is
nvd
CVE-2024-22213P4MEDIUMCVSS 5.4v>= 1.9.0, < 1.9.5v>= 1.10.0, < 1.11.22024-01-18
CVE-2024-22213 [MEDIUM] CWE-79 CVE-2024-22213: Deck is a kanban style organization tool aimed at personal planning and project organization for tea Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the Nextcloud Deck is upgraded to version 1.9.5 or 1.11.2. Th
nvd
CVE-2022-39211P4MEDIUMCVSS 5.3fixed in 23.0.8v>= 24.0.0, < 24.0.42022-09-16
CVE-2022-39211 [MEDIUM] CWE-918 CVE-2022-39211: Nextcloud server is an open source personal cloud platform. In affected versions it was found that l Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There ar
nvd