3rdparty applications can create share links via socket API

None...

Test remote endpoint is not rate limited

None...

Second factor not requested after session timeout

None...

Global credentials of external storages are sent back to the frontend

None...

Desktop client behaves incorrectly if the initial end-to-end-encryption signature is empty

None...

Desktop client created folders with world-readable and world-writable permissions on Linux

None...

Shares are not removed when user is limited to share with in their groups and being removed from one of them

None...

Incomplete sanitization of SVG files allows to embed other images into previews

None...

User can copy folder that contain files that are blocked by the files access control

None...

Attachments folder for Text app is accessible on "Files drop" and "Password protected" shares

None...

Open redirection when logging in with User OIDC

None...

Authorization Bypass Through User-Controlled Key in Tables

None...

Share information of Tables app is not limited to affected users

None...

Mail app does not respect download permissions in shares

None...

Mail auto configurator sends account information to `autoconfig.tld` server when no auto-configuration is possible

None...

Missing password confirmation when changing external storage options

None...

OAuth2 client secrets were stored in a recoverable way

None...

Link reference provider can be tricked into downloading bigger files than intended

None...

Potential hash collision for background jobs could skip queuing them

None...

Custom defined credentials of external storages are sent back to the frontend

None...

User password is available in memory of the PHP process

None...

Can reshare read&share only folder with more permissions

None...

Events information leaked with shared calendars on recurrence exceptions

None...

ID4me does not validate signature or expiration

None...

Code injection in Nextcloud Desktop Client for macOS

None...

Users can delete old versions of read-only shared files

None...

Can access comments and attachments of deleted cards

None...

Notes app can be tricked into using a received share created before the user logged in

None...

Event create can create attachments that link to other websites

None...

Read-only users can restore old versions

None...

Missing permission check when removing a photo from an album

None...

Ability to by-pass second factor

None...

ID4me feature of OpenID connect app available even when disabled

None...

Open redirect in user_saml via RelayState parameter

None...

All users can reset the allowed apps list for Guest App users

None...

Improper handling of request URLs in Guests app allows guest users to bypass app allowlist

None...

OAuth2 authorization codes are valid indefinetly

None...

Can download "view-only" files with the Files ZIP app

None...

Self XSS when sending HTML as a comment in the Deck app

None...

Global site selector authentication bypass

None...

Bruteforce protection can be bypassed with misconfigured proxy

None...

Workflows do not require password confirmation on API level

None...

App PIN code can be bypassed in Files iOS

None...

Calendar app returns full stacktrace when an error happens while editing appointment

None...

Users can make external storage mount points inaccessible for other users

None...

HTML injection in search UI when selecting a circle with HTML in the display name

None...

Self XSS when pasting HTML into Text app with Ctrl+Shift+V

None...

user_ldap app logs user passwords in the log file on level debug

None...

Can enable/disable birthday calendar for any user

None...

DNS pin middleware can be tricked into DNS rebinding allowing SSRF

None...