CVE-2021-22879

CVE-2021-22879 affects Nextcloud Desktop Client prior to version 3.1.3. The vulnerability arises from missing validation of URLs, enabling a remote server to trigger resource injection and execute commands on the user’s machine, with user interaction required for exploitation. Public references f...

CVE-2020-8140

CVE-2020-8140 affects Nextcloud Desktop Client for macOS (version 2.6.2). A code injection flaw arises when DYLD_INSERT_LIBRARIES is set in the environment, allowing loading of arbitrary code at startup and enabling code execution in the Nextcloud process. The vulnerability is demonstrated in mul...

CVE-2023-28999

CVE-2023-28999 affects Nextcloud clients: Desktop 3.0.0–3.8.0, Android 3.13.0–3.25.0, iOS 3.0.5–4.8.0. Description in OSV/NVD indicates a malicious server administrator can gain full access to an end-to-end encrypted folder, decrypt files, recover folder structure, and add new files, due to a lac...

CVE-2022-41882

The CVE-2022-41882 entry concerns the Nextcloud Desktop Client. Affected product: Nextcloud Desktop Client prior to version 3.6.1. Root cause: clicking a nc://open/ link for a malicious shared file, when the file is locally synced or the virtual filesystem is enabled, can cause the default editor...

CVE-2020-8189

CVE-2020-8189 affects Nextcloud Desktop Sync client (Nextcloud Desktop client) 2.6.4, where an XSS on the login response could render arbitrary HTML, including local links. Root cause: cross-site scripting in the login handling. Impact stated in connected docs: ability to present HTML content in ...

CVE-2021-32728

The CVE describes a vulnerability in Nextcloud Desktop Client prior to 3.3.0 where the client does not verify that a private key matches the previously downloaded public certificate when obtaining keys via the API. If a server serves a malicious public key, user data could be encrypted for that k...

CVE-2023-23942

CVE-2023-23942 affects the Nextcloud Desktop Client prior to 3.6.3. The issue is a lack of sanitisation on qml labels used for basic HTML elements (e.g., strong, em, head) in the UI, which may allow JavaScript injection. Affected versions:

CVE-2022-39332

Summary (CVE-2022-39332) : The Nextcloud Desktop client (nextcloud-desktop) is affected. An attacker can inject arbitrary HTML into the Desktop Client via user status and information, enabling a desktop UI HTML injection (XSS) vulnerability. The issue is remedied by upgrading the Nextcloud Deskto...

CVE-2023-22472

CVE-2023-22472 affects the Nextcloud Deck integration with the Nextcloud Desktop Client. The issue is a Cross-Site Request Forgery (CSRF) vulnerability that enables an attacker to induce a user to send a POST request with an arbitrary body by clicking a malicious deep link on Windows. Multiple so...

CVE-2022-39331

CVE-2022-39331 affects the Nextcloud desktop client. An attacker can inject arbitrary HTML into the Desktop Client notifications due to insufficient input sanitisation. Public advisories (OpenSUSE/OpenSUSE SU, Debian LTS) and the Debian/NVD entries reference this issue, with remediation recommend...

CVE-2022-39333

CVE-2022-39333 affects the Nextcloud Desktop Client. An attacker can inject arbitrary HTML into the Desktop Client application, enabling potential HTML/JS injection via the UI. Affected software: Nextcloud Desktop client prior to upgrade. Mitigation: upgrade to Nextcloud Desktop version 3.6.1 or ...

CVE-2023-28998

The CVE-2023-28998 entry concerns the Nextcloud Desktop Client. Versions from 3.0.0 up to, but not including, 3.6.5 are vulnerable: a malicious server administrator can gain full access to an end-to-end encrypted folder, decrypt files, recover the folder structure, and add new files. Affected sof...

CVE-2022-39334

CVE-2022-39334 affects the Nextcloud CLI tool nextcloudcmd (not the GUI/server). The vulnerability arises because nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, enabling a local attacker to perform a MITM to exfiltrate data or credentials. Affected versions are befo...

CVE-2020-8227

Nextcloud Desktop Client for Linux (2.6.4) is affected. The root cause is missing sanitization of a server response, which allows a malicious Nextcloud Server to store files outside the dedicated sync directory (directory traversal). Impact is potential leakage/exfiltration of files outside the s...

CVE-2021-22895

CVE-2021-22895 refers to a vulnerability in Nextcloud Desktop Client prior to 3.3.1 where SSL certificate validation is not performed during the “Register with a Provider” flow, due to missing certificate verification. The root cause is improper certificate validation in the provider enrollment p...

CVE-2024-46958

The CVE applies to Nextcloud Desktop Client for Linux, versions 3.13.1–3.13.3, where the synchronization process may cause files being synchronized between server and client to become world-writable or world-readable. The issue is fixed in version 3.13.4. CVSS metrics in the provided documents sh...

CVE-2023-29000

The CVE-2023-29000 entry affects the Nextcloud Desktop Client. Starting with version 3.0.0 and prior to 3.7.0, the client trusts that the server certificate belongs to the user’s keypair, allowing a malicious server to cause the desktop client to encrypt files with an attacker-known key. The issu...

CVE-2021-37617

Summary of CVE-2021-37617 : The Nextcloud Desktop Client (Windows) contains a vendor- and user-controlled uninstall search path flaw. In versions 3.0.3 through 3.2.4, the client searches for an Uninstall.exe file in a folder writable by regular users. A malicious user could place a crafted Uninst...

CVE-2024-52510

The CVE-2024-52510 issue affects the Nextcloud Desktop Client. A vulnerability exists where the client would bypass signature validation if the server sends an empty initial end-to-end signature, allowing potential integrity concerns without stopping at error. Affected software: Nextcloud Desktop...

CVE-2024-37885

CVE-2024-37885 concerns the Nextcloud Desktop Client for macOS. A code injection vulnerability allows loading arbitrary code when the client is launched with the environment variable DYLD_INSERT_LIBRARIES set, as reported for versions prior to 3.12.0. The issue stems from how the macOS client han...

CVE-2023-28997

Summary (CVE-2023-28997) The Nextcloud Desktop Client is affected when running versions 3.0.0 up to before 3.6.5, where an attacker with control of a malicious server could recover and modify the contents of end-to-end encrypted files due to a vulnerability tied to IV reuse in the E2EE scheme. Th...

CVE-2020-8224

CVE-2020-8224 – Nextcloud Desktop Client (Windows) Root cause: The Nextcloud Desktop Client ships a Windows OpenSSL library (libeay32.dll) compiled without a defined openssldir. The library attempts to load c:\usr\local\ssl\openssl.cnf on startup. A low-privilege user can create the directory and...

CVE-2020-8225

CVE-2020-8225 affects Nextcloud Desktop Client 2.6.4, where proxy parameters and authentication credentials are stored in plaintext. This plaintext storage constitutes the root cause and enables disclosure of used proxies and their credentials, impacting confidentiality. The published advisory NC...

CVE-2020-8229

CVE-2020-8229 affects the Nextcloud Desktop Client 2.6.4 via a flaw in the OCUtil.dll that causes a memory leak , resulting in a possible DoS of the host system . The available connected documents corroborate the issue as a memory leak in the OCUtil.dll used by Nextcloud Desktop Client 2.6.4, wit...

CVE-2020-8230

CVE-2020-8230 concerns Nextcloud Desktop Client v2.6.4 on Windows. The linked documents state a memory corruption vulnerability arising from missing ASLR and DEP protections, enabling memory corruption with a local attack surface. Impact noted includes high availability impact per CVSS v3.1; expl...

CVE-2025-47792

Nextcloud Desktop prior to version 3.15 is affected: 3rd-party applications already installed on a user machine can create link shares for nearly all data through the socket API, enabling exfiltration to external services. The vulnerability’s impact is rated high for confidentiality and low for i...

CVE-2025-66549

The CVE-2025-66549 entry concerns Nextcloud Desktop (the desktop sync client). Before version 3.16.5, locking a file inside an end-to-end encrypted directory would send the file’s path to the server unencrypted, allowing administrators to see it in logs. The root cause is unencrypted transmission...