Lucene search
K
NextcloudMost viewed

384 matches found

Nextcloud
Nextcloud
•added 2016/07/19 12:0 a.m.•27 views

Edit permission check not enforced on WebDAV COPY action (NC-SA-2016-004)

The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files...

4CVSS3.3AI score0.02EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2026/05/13 6:50 a.m.•26 views

Bypass of second factor authentication on DAV endpoints by reusing a pre-2FA session ID

None...

5.9CVSS5.8AI score0.0029EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2025/12/05 7:59 a.m.•26 views

Deck app allows to spoof file extensions by using RTLO characters

None...

5.5CVSS5.2AI score0.0013EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2023/11/21 5:17 a.m.•26 views

Admins can change authentication details of user configured external storage

None...

2.7CVSS4.4AI score0.00671EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2021/07/12 9:26 a.m.•26 views

End-to-end encryption device setup did not verify public key

None...

7.5CVSS7.4AI score0.00732EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2020/10/15 12:0 a.m.•26 views

Improper access control to messages of Social app (NC-SA-2020-042)

Improper access control in Social app 0.3.1 allowed to read posts of any user...

5CVSS3.9AI score0.01004EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2020/04/16 12:0 a.m.•26 views

Limit contacts photo uploading to images (NC-SA-2020-024)

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars...

4CVSS4.1AI score0.0079EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/12/12 12:0 a.m.•26 views

SSRF protection bypass in calendar subscriptions (NC-SA-2020-014)

A missing check for IPv4 nested inside IPv6 in Nextcloud server 17.0.1 allowed a SSRF when subscribing to a malicious calendar URL...

4CVSS2.6AI score0.01395EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/07/26 12:0 a.m.•26 views

Thumbnails of files leaked via Android content provider (NC-SA-2019-007)

If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, he can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin...

2.1CVSS2.9AI score0.00434EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/07/15 12:0 a.m.•26 views

Renaming an item to a protected hidden folder deletes the target (NC-SA-2020-017)

Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name...

5.5CVSS3.7AI score0.01856EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2018/10/25 12:0 a.m.•26 views

Improper access control checks for single share previews (NC-SA-2018-014)

A missing check could give unauthorized access to the previews of single file password protected shares...

5CVSS3.4AI score0.01068EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2018/08/10 12:0 a.m.•26 views

Stored XSS in autocomplete suggestions for file comments (NC-SA-2018-008)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users...

3.5CVSS3AI score0.00769EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/02/05 12:0 a.m.•26 views

Bypassing quota limitation (NC-SA-2017-005)

Due to not properly sanitzing values provided by the OC-Total-Length HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator...

4CVSS2.7AI score0.00888EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2016/10/10 12:0 a.m.•26 views

Content-Spoofing in "dav" app (NC-SA-2016-011)

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information...

5CVSS5.4AI score0.02077EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2026/05/12 9:13 a.m.•25 views

Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner

None...

3.5CVSS5.8AI score0.00203EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2025/12/05 7:54 a.m.•25 views

Tables app allowed users to view columns metadata information of any table

None...

4.3CVSS5.2AI score0.0024EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2020/10/15 12:0 a.m.•25 views

Social App does not validate server certificates for outgoing connections (NC-SA-2020-043)

Missing validation of server certificates for out-going connections allowed a man-in-the-middle attack...

5.8CVSS3.6AI score0.00639EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2019/07/29 12:0 a.m.•25 views

Improper neutralization of item names in projects feature (NC-SA-2020-009)

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project...

3.5CVSS3.7AI score0.0084EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2018/11/15 12:0 a.m.•25 views

Event details leaked when sharing a non-public calendar event (NC-SA-2020-013)

Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event...

4CVSS2.1AI score0.00714EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2018/08/10 12:0 a.m.•25 views

Stored XSS in autocomplete suggestions for chat @-mentions (NC-SA-2018-009)

A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users...

3.5CVSS2.6AI score0.0062EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2018/02/07 12:0 a.m.•25 views

App password scope can be changed for other users (NC-SA-2018-001)

A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user...

4.9CVSS2.6AI score0.00778EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2017/05/08 12:0 a.m.•25 views

DOM XSS vulnerability in search dialogue (NC-SA-2017-007)

Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue...

3.5CVSS2.1AI score0.00739EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2016/10/10 12:0 a.m.•25 views

Stored XSS in CardDAV image export (NC-SA-2016-008)

The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.Note: Nextcloud employs a very strict Content Security...

3.5CVSS1.3AI score0.01118EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:9 p.m.•24 views

Link reference provider can be tricked into downloading bigger files than intended

None...

6.5CVSS5.2AI score0.00779EPSS
Exploits0References3Affected Software1
Nextcloud
Nextcloud
•added 2020/05/15 12:0 a.m.•24 views

Improper access control allows injecting tasks into other users decks (NC-SA-2020-022)

Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to inject tasks into other users decks...

4CVSS5.4AI score0.00636EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2019/07/26 12:0 a.m.•24 views

Bypass lock protection in Android app (NC-SA-2019-004)

Creating a fake multi-account and aborting the process would redirect the user to the default account of the device without asking for the lock pattern if one was set up...

4.6CVSS2.8AI score0.00463EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2016/10/10 12:0 a.m.•24 views

Improper authorization check on removing shares (NC-SA-2016-007)

The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation did simply unshare the file to all users in...

4CVSS3.8AI score0.01624EPSS
Exploits1Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:16 p.m.•23 views

Shares are not removed when user is limited to share with in their groups and being removed from one of them

None...

4.3CVSS5.1AI score0.00419EPSS
Exploits0References1Affected Software1
Nextcloud
Nextcloud
•added 2026/03/06 10:54 a.m.•22 views

Remote code execution in Nextcloud Flow via vulnerable Windmill version

None...

7.5CVSS5.8AI score0.02584EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:17 p.m.•22 views

Desktop client created folders with world-readable and world-writable permissions on Linux

None...

9.1CVSS5.2AI score0.00555EPSS
Exploits0References1Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:12 p.m.•22 views

Share information of Tables app is not limited to affected users

None...

4.3CVSS5.2AI score0.00409EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2019/07/26 12:0 a.m.•22 views

Improper check for access to application database (NC-SA-2018-015)

A too permissive check allowed an installed application that contained the Nextcloud client package name to obtain access to the database of the Nextcloud application. At time of disclosure there are no applications with in the Google Play Store that fullfill this requirement...

2.3AI score
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2026/05/12 9:9 a.m.•20 views

PIN bypass in PassCodeActivity via back button

None...

4.6CVSS5.8AI score0.00153EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:18 p.m.•20 views

Desktop client behaves incorrectly if the initial end-to-end-encryption signature is empty

None...

7.5CVSS5.2AI score0.00728EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:14 p.m.•20 views

Open redirection when logging in with User OIDC

None...

6.1CVSS5.2AI score0.00417EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2026/05/12 9:12 a.m.•19 views

Valid share tokens allow to access tempory upload files of share owner

None...

6.3CVSS5.8AI score0.00231EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:15 p.m.•19 views

User can copy folder that contain files that are blocked by the files access control

None...

4.1CVSS5.2AI score0.00471EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2019/12/05 12:0 a.m.•19 views

Bypass lock protection in Android app (NC-SA-2020-004)

A wrong check for the system time in the Android App 3.9.0 causes a bypass of the lock protection when changing the time of the system to the past...

3.6CVSS2.4AI score0.00369EPSS
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2018/08/03 12:0 a.m.•19 views

Bypass of 2 Factor Authentication (NC-SA-2018-007)

Improper authentication of the second factor challenge would allow an attacker that had access to user credentials to bypass the second factor validation completely...

4.6AI score
Exploits0Affected Software1
Nextcloud
Nextcloud
•added 2026/05/13 6:43 a.m.•18 views

Information Disclosure of view filter metadata via Broken Sensitive Data Masking in ViewService

None...

4.3CVSS5.8AI score0.00222EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2025/12/05 8:0 a.m.•18 views

Calendar app allowed booking appointments without the generated token

None...

3.3CVSS5.2AI score0.0012EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2026/05/13 12:20 p.m.•17 views

Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views

None...

7.1CVSS5.8AI score0.00301EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2026/05/13 6:48 a.m.•17 views

Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share

None...

5.3CVSS5.8AI score0.00269EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2026/05/12 9:12 a.m.•17 views

Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC

None...

8.1CVSS5.8AI score0.00329EPSS
Exploits1References2Affected Software1
Nextcloud
Nextcloud
•added 2026/05/12 9:7 a.m.•17 views

Logged-in user bypasses share password and download restrictions on Text attachments via documentId

None...

6.5CVSS5.8AI score0.00294EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2025/10/16 6:40 a.m.•17 views

Tables app allowed to include local file via PhpSpreadsheet when importing a table

None...

6.5CVSS5.2AI score0.00496EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2024/11/15 1:13 p.m.•17 views

Authorization Bypass Through User-Controlled Key in Tables

None...

6.5CVSS5.2AI score0.00448EPSS
Exploits0References3Affected Software1
Nextcloud
Nextcloud
•added 2026/05/13 6:39 a.m.•16 views

SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution

None...

8.2CVSS5.8AI score0.00318EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2026/05/12 8:51 a.m.•16 views

Open Redirect in user_oidc login flow via protocol-relative URL bypass

None...

6.1CVSS5.8AI score0.00232EPSS
Exploits0References2Affected Software1
Nextcloud
Nextcloud
•added 2026/05/12 8:23 a.m.•16 views

fileId parameter reveals workflow associations in Nextcloud Approval app

None...

3.3CVSS5.8AI score0.0013EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities384