Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A cross-site scripting vulnerability exists in Nextcloud Notes version 4.4.0 up to and including 4.8.0, which stems from the fact that when a notes file is created using HTML, the content is rendered in a preview instead of the file being offered for download. An attacker could exploit this vulnerability to cause a cross-site scripting attack.