cbcvebase.

Nextcloud Security-Advisories vulnerabilities

259 known vulnerabilities affecting nextcloud/security-advisories.

Total CVEs
259
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL11HIGH47MEDIUM172LOW29

Vulnerabilities

Page 9 of 13
CVE-2021-41166P4MEDIUMCVSS 5.3fixed in 3.17.12022-01-26
CVE-2021-41166 [MEDIUM] CWE-276 CVE-2021-41166: The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Ver
nvd
CVE-2021-39224P4MEDIUMCVSS 5.3fixed in 1.1.12021-10-25
CVE-2021-39224 [MEDIUM] CWE-200 CVE-2021-39224: Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline applicati Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/sh
nvd
CVE-2022-39338P4MEDIUMCVSS 5.4fixed in 1.2.12022-11-25
CVE-2022-39338 [MEDIUM] CWE-20 CVE-2022-39338: user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari
nvd
CVE-2022-41970P4MEDIUMCVSS 5.3fixed in 24.0.7v>= 25.0.0, < 25.0.12022-12-01
CVE-2022-41970 [MEDIUM] CWE-284 CVE-2022-41970: Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disab Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workaroun
nvd
CVE-2022-39212P4MEDIUMCVSS 5.3fixed in 13.0.8v>= 14.0.0, < 14.0.42022-09-17
CVE-2022-39212 [MEDIUM] CWE-200 CVE-2022-39212: Nextcloud Talk is an open source chat, video & audio calls client for the Nextcloud platform. In aff Nextcloud Talk is an open source chat, video & audio calls client for the Nextcloud platform. In affected versions an attacker could see the last video frame of any participant who has video disabled but a camera selected. It is recommended that the Nextcloud Talk app is upgraded to 13.0.8 or 14.0.4. Users unable to upgrade should select "None" as c
nvd
CVE-2023-33184P4MEDIUMCVSS 5.3fixed in 1.15.3fixed in 2.2.5+1 more2023-05-27
CVE-2023-33184 [MEDIUM] CWE-918 CVE-2023-33184: Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to servi Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3.
nvd
CVE-2023-25159P4MEDIUMCVSS 5.3v>= 24.0.4, < 24.0.8v= 25.0.0+2 more2023-02-13
CVE-2023-25159 [MEDIUM] CWE-284 CVE-2023-25159: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocum
nvd
CVE-2021-39221P4MEDIUMCVSS 5.4fixed in 4.0.32021-10-25
CVE-2021-39221 [MEDIUM] CWE-79 CVE-2021-39221: Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application p Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcl
nvd
CVE-2021-32801P4MEDIUMCVSS 5.5fixed in 20.0.12v>= 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32801 [MEDIUM] CWE-532 CVE-2021-32801: Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exce Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are ad
nvd
CVE-2021-32657P4MEDIUMCVSS 4.3fixed in 19.0.11v>= 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32657 [MEDIUM] CWE-400 CVE-2021-32657: Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server p Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and
nvd
CVE-2021-32748P4MEDIUMCVSS 4.3fixed in 3.8.3v>= 4.0.0, < 4.2.02021-07-27
CVE-2021-32748 [MEDIUM] CWE-862 CVE-2021-32748: Nextcloud Richdocuments in an open source self hosted online office. Nextcloud uses the WOPI ("Web A Nextcloud Richdocuments in an open source self hosted online office. Nextcloud uses the WOPI ("Web Application Open Platform Interface") protocol to communicate with the Collabora Editor, the communication between these two services was not protected by a credentials or IP check. Whilst this does not result in gaining access to data that the user ha
nvd
CVE-2026-45264P4MEDIUMCVSS 4.3v>= 17.0.0, < 17.0.15v>= 18.0.0, < 18.1.12+3 more2026-06-01
CVE-2026-45264 [MEDIUM] CWE-284 CVE-2026-45264: Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patch
nvd
CVE-2022-39210P4MEDIUMCVSS 5.5fixed in 3.21.02022-09-17
CVE-2022-39210 [MEDIUM] CWE-22 CVE-2022-39210: Nextcloud android is the official Android client for the Nextcloud home server platform. Internal pa Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitive information in some cases. It is recommended that the
nvd
CVE-2023-39953P4MEDIUMCVSS 4.8v>= 1.0.0, < 1.3.32023-08-10
CVE-2023-39953 [MEDIUM] CWE-303 CVE-2023-39953: user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Start user_oidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also have access to. user_oidc 1.3.3 contains a patch. No
nvd
CVE-2022-24888P4MEDIUMCVSS 4.3v < 20.0.14.4fixed in 21.0.8+2 more2022-04-27
CVE-2022-24888 [MEDIUM] CWE-74 CVE-2022-24888: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names,
nvd
CVE-2023-48304P4MEDIUMCVSS 4.3v>= 25.0.0, < 25.0.11v>= 26.0.0, < 26.0.6+4 more2023-11-21
CVE-2023-48304 [MEDIUM] CWE-639 CVE-2023-48304: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could ena
nvd
CVE-2025-47794P4MEDIUMCVSS 4.3v>= 26.0.0, < 26.0.13.13v>= 27.0.0, < 27.1.11.13+4 more2025-05-16
CVE-2025-47794 [MEDIUM] CWE-284 CVE-2025-47794: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0. Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink a
nvd
CVE-2026-45286P4MEDIUMCVSS 4.3v>= 5.5.13, < 5.5.17v>= 6.2.0, < 6.2.32026-06-01
CVE-2026-45286 [MEDIUM] CWE-200 CVE-2026-45286: Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, a Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue
nvd
CVE-2025-66552P4MEDIUMCVSS 4.3v>= 32.0.0beta1, < 32.0.1fixed in 31.0.92025-12-05
CVE-2025-66552 [MEDIUM] CWE-778 CVE-2025-66552: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30
nvd
CVE-2025-66547P4MEDIUMCVSS 4.3fixed in 31.0.12025-12-05
CVE-2025-66547 [MEDIUM] CWE-639 CVE-2025-66547: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server p Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
nvd
Nextcloud Security-Advisories vulnerabilities | cvebase