VYPR

Nextcloud

by Nextcloud

Source repositories

CVEs (69)

  • CVE-2026-45545HigJun 1, 2026
    risk 0.46cvss 8.2epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long…

  • CVE-2018-3781MedAug 13, 2018
    risk 0.35cvss 5.4epss 0.01

    A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.

  • CVE-2016-9460MedMar 28, 2017
    risk 0.35cvss 5.3epss 0.02

    Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use…

  • CVE-2017-0888MedApr 5, 2017
    risk 0.28cvss 4.3epss 0.02

    Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.

  • CVE-2026-45284MedJun 1, 2026
    risk 0.23cvss 4.6epss 0.00

    Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0.

  • CVE-2026-45153MedJun 1, 2026
    risk 0.23cvss 4.6epss 0.00

    Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0.

  • CVE-2026-45544MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0.

  • CVE-2026-45286MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing…

  • CVE-2026-45264MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a…

  • CVE-2026-45266LowJun 1, 2026
    risk 0.16cvss 3.5epss 0.00

    Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions…

  • CVE-2026-45159LowJun 1, 2026
    risk 0.16cvss 3.5epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files…

  • CVE-2026-45278LowJun 1, 2026
    risk 0.14cvss 3.3epss 0.00

    Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in…

  • CVE-2025-64011Dec 12, 2025
    risk 0.00cvss epss 0.00

    Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of…

  • CVE-2025-66510Dec 5, 2025
    risk 0.00cvss epss 0.00

    Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names,…

  • CVE-2025-59788Dec 4, 2025
    risk 0.00cvss epss 0.00

    Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute…

  • CVE-2025-47792May 16, 2025
    risk 0.00cvss epss 0.00

    Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an…

  • CVE-2024-52509Nov 15, 2024
    risk 0.00cvss epss 0.01

    Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from…

  • CVE-2024-37314Jun 14, 2024
    risk 0.00cvss epss 0.00

    Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.

  • CVE-2024-30247Mar 29, 2024
    risk 0.00cvss epss 0.02

    NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be…

  • CVE-2023-25821Feb 24, 2023
    risk 0.00cvss epss 0.01

    Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is…

Page 1 of 4