Federated editing allows iframing remote servers by default

None...

Improper input-size validation on the user new session name

None...

Bypass of password requirements when sharing a folder via the Circles app

None...

Sensitive files/ data exists post deletion of user account

None...

Possibility for anyone to add a stack with existing tasks on anyone's board in the Deck app

None...

Error in deleting deck cards attachment reveals the full application path

None...

Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic

None...

When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

None...

Force an admin to install recommended applications

None...

Control character filtering misses leading and trailing whitespace in file and folder names

None...

Notification implicit PendingIntent in com.nextcloud.client allows to access contacts

None...

Can bypass the lock protection in Android Files app

None...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Server

None...

Command Injection in Appointment Emails for Calendar

None...

Folder names of "File Drop" share accessible

None...

High memory usage for generating preview of broken image

None...

Groupfolders advanced permissions is not obeyed for subfolders

None...

User enumeration setting not obeyed in User Status API

None...

Geolocation preview links can be set to arbitrary links

None...

Talk app did allow access to sensitive chat messages on lockscreen

None...

Permission bypass in DiskLruImageCacheFileProvider (GHSL-2021-1008)

None...

Two-Factor Authentication not enforced for pages marked as public

None...

File Traversal affecting SVG files on Nextcloud Server

None...

Rate-limits not working on instances without configured memory cache backend

None...

Missing permission check on Deck API

None...

Nextcloud Server shipped insecure Archive_Tar version

None...

Missing User Presence Check in Nextcloud WebAuthn login

None...

File path disclosure of shared files in OfficeOnline application

None...

File path disclosure of shared files in Richdocuments application

None...

XSS in Contacts

None...

XSS in Talk

None...

Bypass of image blocking in Nextcloud Mail

None...

Preview generation used third-party library not suited for user-generated content

None...

Secret Circle can be joined without approval

None...

Deck shared with a Circle can be accessed by non-Circle members

None...

File Drop can be bypassed using Richdocuments app

None...

Bypass of Two Factor Authentication

None...

Exceptions may have logged Encryption-at-Rest key content

None...

Lack of ratelimit on Richdocuments OCS endpoint

None...

XSS in Nextcloud Circles

None...

Nextcloud Text app can disclose existence of folders in "File Drop" link share

None...

End-to-end encryption device setup did not verify public key

None...

Untrusted Search Path in Nextcloud Desktop Client

None...

WOPI API not protected by credentials/IP check

None...

End-to-end encryption device setup did not verify public key

None...

Lack of ratelimit on public share link mount endpoint

None...

File path disclosure of shared files in Nextcloud Text application

None...

XSS in Nextcloud Text application

None...

Webauthn tokens not removed after user has been deleted

None...

Default share permissions not respected for federated reshares

None...