Medium severity6.1NVD Advisory· Published Mar 28, 2017· Updated May 13, 2026

CVE-2016-9466

Description

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability.

Affected products

Nextcloud/Nextcloud Server
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Range: >=10.0.0,<10.0.1
OwnCloud/Owncloud
cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
Range: >=9.0.0,<9.0.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58nvdIssue TrackingPatchThird Party Advisory
github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eeenvdIssue TrackingPatchThird Party Advisory
github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8anvdIssue TrackingPatchThird Party Advisory
nextcloud.com/security/advisory/nvdPatchVendor Advisory
owncloud.org/security/advisory/nvdPatchVendor Advisory
hackerone.com/reports/165686nvdExploitThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000