CVE-2021-22879

CVE-2021-22879 affects Nextcloud Desktop Client prior to version 3.1.3. The vulnerability arises from missing validation of URLs, enabling a remote server to trigger resource injection and execute commands on the user’s machine, with user interaction required for exploitation. Public references f...

CVE-2020-8140

CVE-2020-8140 affects Nextcloud Desktop Client for macOS (version 2.6.2). A code injection flaw arises when DYLD_INSERT_LIBRARIES is set in the environment, allowing loading of arbitrary code at startup and enabling code execution in the Nextcloud process. The vulnerability is demonstrated in mul...

CVE-2020-8189

CVE-2020-8189 affects Nextcloud Desktop Sync client (Nextcloud Desktop client) 2.6.4, where an XSS on the login response could render arbitrary HTML, including local links. Root cause: cross-site scripting in the login handling. Impact stated in connected docs: ability to present HTML content in ...

CVE-2021-32728

The CVE describes a vulnerability in Nextcloud Desktop Client prior to 3.3.0 where the client does not verify that a private key matches the previously downloaded public certificate when obtaining keys via the API. If a server serves a malicious public key, user data could be encrypted for that k...

CVE-2023-23942

CVE-2023-23942 affects the Nextcloud Desktop Client prior to 3.6.3. The issue is a lack of sanitisation on qml labels used for basic HTML elements (e.g., strong, em, head) in the UI, which may allow JavaScript injection. Affected versions:

CVE-2022-39332

Summary (CVE-2022-39332) : The Nextcloud Desktop client (nextcloud-desktop) is affected. An attacker can inject arbitrary HTML into the Desktop Client via user status and information, enabling a desktop UI HTML injection (XSS) vulnerability. The issue is remedied by upgrading the Nextcloud Deskto...

CVE-2022-39331

CVE-2022-39331 affects the Nextcloud desktop client. An attacker can inject arbitrary HTML into the Desktop Client notifications due to insufficient input sanitisation. Public advisories (OpenSUSE/OpenSUSE SU, Debian LTS) and the Debian/NVD entries reference this issue, with remediation recommend...

CVE-2022-39333

CVE-2022-39333 affects the Nextcloud Desktop Client. An attacker can inject arbitrary HTML into the Desktop Client application, enabling potential HTML/JS injection via the UI. Affected software: Nextcloud Desktop client prior to upgrade. Mitigation: upgrade to Nextcloud Desktop version 3.6.1 or ...

CVE-2022-39334

CVE-2022-39334 affects the Nextcloud CLI tool nextcloudcmd (not the GUI/server). The vulnerability arises because nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, enabling a local attacker to perform a MITM to exfiltrate data or credentials. Affected versions are befo...

CVE-2020-8227

Nextcloud Desktop Client for Linux (2.6.4) is affected. The root cause is missing sanitization of a server response, which allows a malicious Nextcloud Server to store files outside the dedicated sync directory (directory traversal). Impact is potential leakage/exfiltration of files outside the s...

CVE-2021-22895

CVE-2021-22895 refers to a vulnerability in Nextcloud Desktop Client prior to 3.3.1 where SSL certificate validation is not performed during the “Register with a Provider” flow, due to missing certificate verification. The root cause is improper certificate validation in the provider enrollment p...

CVE-2024-37885

CVE-2024-37885 concerns the Nextcloud Desktop Client for macOS. A code injection vulnerability allows loading arbitrary code when the client is launched with the environment variable DYLD_INSERT_LIBRARIES set, as reported for versions prior to 3.12.0. The issue stems from how the macOS client han...

CVE-2020-8224

CVE-2020-8224 – Nextcloud Desktop Client (Windows) Root cause: The Nextcloud Desktop Client ships a Windows OpenSSL library (libeay32.dll) compiled without a defined openssldir. The library attempts to load c:\usr\local\ssl\openssl.cnf on startup. A low-privilege user can create the directory and...

CVE-2020-8225

CVE-2020-8225 affects Nextcloud Desktop Client 2.6.4, where proxy parameters and authentication credentials are stored in plaintext. This plaintext storage constitutes the root cause and enables disclosure of used proxies and their credentials, impacting confidentiality. The published advisory NC...

CVE-2020-8230

CVE-2020-8230 concerns Nextcloud Desktop Client v2.6.4 on Windows. The linked documents state a memory corruption vulnerability arising from missing ASLR and DEP protections, enabling memory corruption with a local attack surface. Impact noted includes high availability impact per CVSS v3.1; expl...

CVE-2020-8229

CVE-2020-8229 affects the Nextcloud Desktop Client 2.6.4 via a flaw in the OCUtil.dll that causes a memory leak , resulting in a possible DoS of the host system . The available connected documents corroborate the issue as a memory leak in the OCUtil.dll used by Nextcloud Desktop Client 2.6.4, wit...

CVE-2025-47792

Nextcloud Desktop prior to version 3.15 is affected: 3rd-party applications already installed on a user machine can create link shares for nearly all data through the socket API, enabling exfiltration to external services. The vulnerability’s impact is rated high for confidentiality and low for i...