Nextcloud Enterprise Server
by Nextcloud
Source repositories
CVEs (133)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-15621 | Med | 0.42 | 6.5 | 0.01 | Feb 4, 2020 | Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link. | ||
| CVE-2017-0886 | Med | 0.42 | 6.5 | 0.01 | Apr 5, 2017 | Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service. | ||
| CVE-2017-0883 | Med | 0.42 | 6.4 | 0.01 | Apr 5, 2017 | Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an… | ||
| CVE-2020-8120 | Med | 0.40 | 6.1 | 0.01 | Feb 4, 2020 | A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation. | ||
| CVE-2019-15612 | Med | 0.38 | 5.9 | 0.00 | Feb 4, 2020 | A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset. | ||
| CVE-2026-45810 | Med | 0.37 | 6.8 | 0.00 | Jun 1, 2026 | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It… | ||
| CVE-2018-16464 | Med | 0.37 | 5.7 | 0.01 | Oct 30, 2018 | A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password. | ||
| CVE-2017-0936 | Med | 0.37 | 5.7 | 0.01 | Mar 28, 2018 | Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither… | ||
| CVE-2026-45282 | Med | 0.35 | 6.5 | 0.00 | Jun 1, 2026 | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or… | ||
| CVE-2020-8294 | Med | 0.35 | 5.4 | 0.01 | Feb 3, 2021 | A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. | ||
| CVE-2020-8133 | Med | 0.35 | 5.3 | 0.01 | Nov 9, 2020 | A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. | ||
| CVE-2020-8155 | Med | 0.35 | 5.4 | 0.01 | May 12, 2020 | An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. | ||
| CVE-2019-15623 | Med | 0.35 | 5.3 | 0.02 | Feb 4, 2020 | Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled. | ||
| CVE-2019-15617 | Med | 0.35 | 5.4 | 0.01 | Feb 4, 2020 | A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login. | ||
| CVE-2018-16467 | Med | 0.35 | 5.3 | 0.01 | Oct 30, 2018 | A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares. | ||
| CVE-2018-16465 | Med | 0.35 | 5.3 | 0.01 | Oct 30, 2018 | Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load. | ||
| CVE-2018-3780 | Med | 0.35 | 5.4 | 0.01 | Aug 13, 2018 | A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. | ||
| CVE-2018-3776 | Med | 0.35 | 5.3 | 0.01 | Aug 12, 2018 | Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log. | ||
| CVE-2017-0893 | Med | 0.35 | 5.4 | 0.01 | May 8, 2017 | Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict… | ||
| CVE-2017-0891 | Med | 0.35 | 5.4 | 0.01 | May 8, 2017 | Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components. |
- risk 0.42cvss 6.5epss 0.01
Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.
- risk 0.42cvss 6.5epss 0.01
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.
- risk 0.42cvss 6.4epss 0.01
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an…
- risk 0.40cvss 6.1epss 0.01
A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation.
- risk 0.38cvss 5.9epss 0.00
A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
- risk 0.37cvss 6.8epss 0.00
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It…
- risk 0.37cvss 5.7epss 0.01
A missing access check in Nextcloud Server prior to 14.0.0 could lead to continued access to password protected link shares when the owner had changed the password.
- risk 0.37cvss 5.7epss 0.01
Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither…
- risk 0.35cvss 6.5epss 0.00
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or…
- risk 0.35cvss 5.4epss 0.01
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
- risk 0.35cvss 5.3epss 0.01
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
- risk 0.35cvss 5.4epss 0.01
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
- risk 0.35cvss 5.3epss 0.02
Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
- risk 0.35cvss 5.4epss 0.01
A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.
- risk 0.35cvss 5.3epss 0.01
A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.
- risk 0.35cvss 5.3epss 0.01
Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load.
- risk 0.35cvss 5.4epss 0.01
A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.
- risk 0.35cvss 5.3epss 0.01
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.
- risk 0.35cvss 5.4epss 0.01
Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict…
- risk 0.35cvss 5.4epss 0.01
Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components.
Page 2 of 7