VYPR
Vendor

Nextcloud

Products
36
CVEs
330
Across products
427
Status
Private

Products

36
View all 36 products →

Recent CVEs

330
View all 330 CVEs →
  • CVE-2018-3775HigAug 12, 2018
    risk 0.57cvss 8.8epss 0.01

    Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication.

  • CVE-2018-3761HigJul 5, 2018
    risk 0.53cvss 8.1epss 0.02

    Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.

  • CVE-2016-9463HigMar 28, 2017
    risk 0.53cvss 8.1epss 0.04

    Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB…

  • CVE-2026-22683HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.01

    Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or…

  • CVE-2026-45545HigJun 1, 2026
    risk 0.46cvss 8.2epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long…

  • CVE-2026-45281HigJun 1, 2026
    risk 0.46cvss 8.1epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar.…

  • CVE-2026-45156HigJun 1, 2026
    risk 0.46cvss 8.1epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been…

  • CVE-2017-0886MedApr 5, 2017
    risk 0.42cvss 6.5epss 0.01

    Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.

  • CVE-2017-0883MedApr 5, 2017
    risk 0.42cvss 6.4epss 0.01

    Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission increase on re-sharing via OCS API issue. A permission related issue within the OCS sharing API allowed an authenticated adversary to reshare shared files with an increasing permission set. This may allow an…

  • CVE-2016-9466MedMar 28, 2017
    risk 0.40cvss 6.1epss 0.02

    Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence…

  • CVE-2016-9459MedMar 28, 2017
    risk 0.40cvss 6.1epss 0.01

    Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with…

  • CVE-2026-45722HigJun 1, 2026
    risk 0.39cvss 7.1epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a…

  • CVE-2026-45810MedJun 1, 2026
    risk 0.37cvss 6.8epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It…

  • CVE-2017-0936MedMar 28, 2018
    risk 0.37cvss 5.7epss 0.01

    Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither…

  • CVE-2026-45285MedJun 1, 2026
    risk 0.35cvss 6.4epss 0.00

    Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a…

  • CVE-2026-45282MedJun 1, 2026
    risk 0.35cvss 6.5epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or…

  • CVE-2026-45275MedJun 1, 2026
    risk 0.35cvss 6.5epss 0.00

    Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with approvers. This results in an authorization…

  • CVE-2026-45267MedJun 1, 2026
    risk 0.35cvss 6.5epss 0.00

    Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6.

  • CVE-2025-13167MedMay 27, 2026
    risk 0.35cvss 5.4epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via…

  • CVE-2025-58051MedOct 16, 2025
    risk 0.35cvss 6.5epss 0.00

    Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and…