cbcvebase.

Nextcloud Security-Advisories vulnerabilities

259 known vulnerabilities affecting nextcloud/security-advisories.

Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29

Vulnerabilities

Page 8 of 13
CVE-2022-39329P4MEDIUMCVSS 5.3fixed in 23.0.9v>= 24.0.0, < 24.0.52022-10-27
CVE-2022-39329 [MEDIUM] CWE-284 CVE-2022-39329: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for thi
nvd
CVE-2022-31118P4MEDIUMCVSS 5.3v>= 23.0.0, < 23.0.4fixed in 22.2.72022-08-04
CVE-2022-31118 [MEDIUM] CWE-770 CVE-2022-31118: Nextcloud server is an open source personal cloud solution. In affected versions an attacker could b Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrad
nvd
CVE-2023-25160P4MEDIUMCVSS 5.3fixed in 1.11.8v>= 1.12.0, < 1.12.9+2 more2023-02-13
CVE-2023-25160 [MEDIUM] CWE-639 CVE-2023-25160: Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14 Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail
nvd
CVE-2024-52521P4MEDIUMCVSS 5.3v>= 28.0.0, < 28.0.10v>= 29.0.0, < 29.0.72024-11-15
CVE-2024-52521 [MEDIUM] CWE-328 CVE-2024-52521: Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jo Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommende
nvd
CVE-2021-39222P4MEDIUMCVSS 6.1fixed in 10.0.7v>= 10.1.0, < 10.1.4+3 more2021-11-15
CVE-2021-39222 [MEDIUM] CWE-79 CVE-2021-39222: Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was v Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not expl
nvd
CVE-2021-41239P4MEDIUMCVSS 5.3fixed in 20.0.14v>= 21.0.0, < 21.0.6+1 more2022-03-08
CVE-2021-41239 [MEDIUM] CWE-200 CVE-2021-41239: Nextcloud server is a self hosted system designed to provide cloud style services. In affected versi Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded
nvd
CVE-2022-35932P4MEDIUMCVSS 5.3v>= 12.2.0, < 12.2.7v>= 13.0.0, < 13.0.7+1 more2022-08-12
CVE-2022-35932 [MEDIUM] CWE-359 CVE-2022-35932: Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7 Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently n
nvd
CVE-2023-48301P4MEDIUMCVSS 5.4v>= 25.0.0, < 25.0.13v>= 26.0.0, < 26.0.8+1 more2023-11-21
CVE-2023-48301 [MEDIUM] CWE-79 CVE-2023-48301: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, an attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. Nextcloud Server
nvd
CVE-2023-48302P4MEDIUMCVSS 5.4v>= 25.0.0, < 25.0.13v>= 26.0.0, < 26.0.8+1 more2023-11-21
CVE-2023-48302 [MEDIUM] CWE-79 CVE-2023-48302: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, when a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. Nextcloud Server and Ne
nvd
CVE-2025-66548P4MEDIUMCVSS 5.5v>= 1.15.0-beta.1, < 1.15.1v>= 1.14.0-beta.1, < 1.14.4+1 more2025-12-05
CVE-2025-66548 [MEDIUM] CWE-116 CVE-2025-66548: Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organizati Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1
nvd
CVE-2023-28848P4MEDIUMCVSS 5.4v>= 1.0.0, < 1.3.02023-04-04
CVE-2023-28848 [MEDIUM] CWE-352 CVE-2023-28848: user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A v user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to recei
nvd
CVE-2023-39959P4MEDIUMCVSS 5.3v>= 25.0.0, < 25.0.9v>= 26.0.0, < 26.0.4+1 more2023-08-10
CVE-2023-39959 [MEDIUM] CWE-284 CVE-2023-39959: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4,
nvd
CVE-2025-66514P4MEDIUMCVSS 5.4v>= 5.2.0-beta.1, < 5.5.32025-12-05
CVE-2025-66514 [MEDIUM] CWE-79 CVE-2025-66514: Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.
nvd
CVE-2025-66513P4MEDIUMCVSS 5.3v>= 1.0.0-beta.1, < 1.0.1v>= 0.9.0-beta.1, < 0.9.6+1 more2025-12-05
CVE-2025-66513 [MEDIUM] CWE-639 CVE-2025-66513: Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6 Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.
nvd
CVE-2022-31119P4MEDIUMCVSS 4.9fixed in 1.12.12022-08-04
CVE-2022-31119 [MEDIUM] CWE-532 CVE-2022-31119: Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions o Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1.
nvd
CVE-2021-32733P4MEDIUMCVSS 6.1fixed in 19.0.13v>= 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32733 [MEDIUM] CWE-79 CVE-2021-32733: Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scri Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped w
nvd
CVE-2023-39955P4MEDIUMCVSS 6.1v>= 4.4.0, < 4.8.02023-08-10
CVE-2023-39955 [MEDIUM] CWE-79 CVE-2023-39955: Notes is a note-taking app for Nextcloud, an open-source cloud platform. Starting in version 4.4.0 a Notes is a note-taking app for Nextcloud, an open-source cloud platform. Starting in version 4.4.0 and prior to version 4.8.0, when creating a note file with HTML, the content is rendered in the preview instead of the file being offered to download. Nextcloud Notes app version 4.8.0 contains a patch for the issue. No known workarounds are available.
nvd
CVE-2024-52512P4MEDIUMCVSS 6.1v>= 6.0.0, < 6.1.02024-11-15
CVE-2024-52512 [MEDIUM] CWE-601 CVE-2024-52512: user_oidc app is an OpenID Connect user backend for Nextcloud. A malicious user could send a malform user_oidc app is an OpenID Connect user backend for Nextcloud. A malicious user could send a malformed login link that would redirect the user to a provided URL after successfully authenticating. It is recommended that the Nextcloud User OIDC app is upgraded to 6.1.0.
nvd
CVE-2021-32782P4MEDIUMCVSS 5.4fixed in 0.19.1v>= 0.20.0, < 0.20.10+1 more2021-09-07
CVE-2021-32782 [MEDIUM] CWE-79 CVE-2021-32782: Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected ve Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Pol
nvd
CVE-2021-39223P4MEDIUMCVSS 5.3fixed in 3.8.6,v>= 4.0.0, < 4.2.32021-10-25
CVE-2021-39223 [MEDIUM] CWE-200 CVE-2021-39223: Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments applicat Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/My
nvd
Nextcloud Security-Advisories vulnerabilities | cvebase