VYPR
Medium severity4.4NVD Advisory· Published Jun 1, 2026· Updated Jun 3, 2026

CVE-2026-45279

CVE-2026-45279

Description

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Nextcloud/Server2 versions
    cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*+ 1 more
    • cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*range: >=31.0.0,<31.0.14
    • cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*range: >=28.0.0,<28.0.14.15
  • Range: 31.0.0 to <31.0.14, 32.0.0 to <32.0.4

Patches

Vulnerability mechanics

References

3

News mentions

1