VYPR

Nextcloud Enterprise Server

by Nextcloud

Source repositories

CVEs (133)

  • CVE-2017-0890MedMay 8, 2017
    risk 0.35cvss 5.4epss 0.01

    Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

  • CVE-2016-7419MedSep 17, 2016
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.

  • CVE-2026-45283MedJun 1, 2026
    risk 0.34cvss 6.3epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated…

  • CVE-2026-45157MedJun 1, 2026
    risk 0.34cvss 6.3epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload…

  • CVE-2020-8118MedFeb 4, 2020
    risk 0.33cvss 5.0epss 0.01

    An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.

  • CVE-2019-15624MedFeb 4, 2020
    risk 0.32cvss 4.9epss 0.01

    Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.

  • CVE-2026-45691MedJun 1, 2026
    risk 0.31cvss 5.9epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer…

  • CVE-2019-15619MedFeb 4, 2020
    risk 0.31cvss 4.8epss 0.01

    Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.

  • CVE-2020-8152MedNov 16, 2020
    risk 0.29cvss 4.4epss 0.00

    Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.

  • CVE-2021-32657MedJun 1, 2021
    risk 0.28cvss 4.3epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud…

  • CVE-2020-8122MedFeb 4, 2020
    risk 0.28cvss 4.3epss 0.01

    A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.

  • CVE-2020-8119MedFeb 4, 2020
    risk 0.28cvss 4.3epss 0.01

    Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.

  • CVE-2020-8117MedFeb 4, 2020
    risk 0.28cvss 4.3epss 0.01

    Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.

  • CVE-2019-5449MedJul 30, 2019
    risk 0.28cvss 4.3epss 0.01

    A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events.

  • CVE-2018-3762MedJul 5, 2018
    risk 0.28cvss 4.3epss 0.01

    Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to.

  • CVE-2017-0894MedMay 8, 2017
    risk 0.28cvss 4.3epss 0.01

    Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

  • CVE-2017-0888MedApr 5, 2017
    risk 0.28cvss 4.3epss 0.02

    Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.

  • CVE-2017-0887MedApr 5, 2017
    risk 0.28cvss 4.3epss 0.01

    Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than…

  • CVE-2017-0885MedApr 5, 2017
    risk 0.28cvss 4.3epss 0.01

    Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing…

  • CVE-2017-0884MedApr 5, 2017
    risk 0.28cvss 4.3epss 0.01

    Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of folders in read-only folders despite lacking permissions issue. Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder. Note that this…

Page 3 of 7