Lucene search
K
NextcloudNextcloud Server

189 matches found

CVE
CVE
•added 2023/02/13 4:43 p.m.•95 views

CVE-2023-25159

CVE-2023-25159 affects Nextcloud Server and related components. Technical details from PT Security show the issue resides in OCFilesNodeFolder::getFullPath(), where improper validation/normalization can allow crafted paths to escape a user’s space, potentially overwriting other users’ data. Affec...

5.3CVSS4.3AI score0.00455EPSS
CVE
CVE
•added 2026/06/01 5:9 p.m.•95 views

CVE-2026-45691

Summary: CVE-2026-45691 affects Nextcloud Server prior to 32.0.9 and 33.0.3, where a pre-2FA session cookie created after password auth but before TOTP could be reused as a Bearer token to access DAV endpoints, bypassing mandatory two-factor authentication and granting read/write access. Impact: ...

5.9CVSS5.7AI score0.0029EPSS
CVE
CVE
•added 2023/10/16 6:51 p.m.•94 views

CVE-2023-45148

Technical details about CVE-2023-45148 are not publicly available in the provided connected documents. Monitor for updates from Nextcloud advisories to obtain concrete affected versions, impact, and remediation information.

4.3CVSS4.4AI score0.00699EPSS
CVE
CVE
•added 2023/08/10 5:23 p.m.•92 views

CVE-2023-39962

Technical details for CVE-2023-39962 are not publicly available in the provided documents; monitor for updates from Nextcloud advisories.

7.7CVSS7.4AI score0.00822EPSS
CVE
CVE
•added 2024/11/15 4:46 p.m.•92 views

CVE-2024-52518

CVE-2024-52518 (Nextcloud Server) : A session takeover allows an attacker who gains access to a user or admin session to create, modify, or delete external storages without re-entering a password. Descriptions across multiple sources (NVD, Red Hat, GitHub advisories) confirm the issue affects Nex...

5.4CVSS4.5AI score0.00529EPSS
CVE
CVE
•added 2024/11/15 4:35 p.m.•92 views

CVE-2024-52523

CVE-2024-52523 affects Nextcloud Server. When a user or administrator defines external storage with fixed credentials, the API returns those credentials and re-inserts them into the frontend, allowing an attacker with an active user session to read them in plain text. The vulnerability enables in...

6.5CVSS4.5AI score0.0063EPSS
CVE
CVE
•added 2024/06/14 3:8 p.m.•91 views

CVE-2024-37315

CVE-2024-37315 affects Nextcloud Server; with files_versions feature enabled, an attacker with read-only access to a file can restore older document versions. Remediation per sources: upgrade Nextcloud Server to 28.0.3 or later (and 26.0.12, 27.1.7 for broader Enterprise coverage; see associated ...

4.3CVSS3.8AI score0.00431EPSS
CVE
CVE
•added 2021/06/01 10:10 p.m.•90 views

CVE-2021-32657

CVE-2021-32657 affects Nextcloud Server: in versions prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user could break the user administration page, preventing admins from managing users. The issue is fixed in 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command...

4.3CVSS4.7AI score0.01823EPSS
CVE
CVE
•added 2022/12/01 8:47 p.m.•90 views

CVE-2022-41969

Summary: CVE-2022-41969 affects Nextcloud Server where there is no password length limit when creating a user as an administrator, enabling a limited DoS on the administrator’s own server. Affects (versions): Nextcloud Server versions prior to 23.0.11, 24.0.7, and 25.0.0. Impact (as stated): Limi...

2.7CVSS3.5AI score0.00806EPSS
CVE
CVE
•added 2024/06/14 2:50 p.m.•90 views

CVE-2024-37313

CVE-2024-37313 corresponds to multiple Nextcloud vulnerabilities surfaced by PT Security and related alerts, detailing improper authentication and credential exposure scenarios. Technical details across connected sources include: 2FA bypass after valid credentials, read-access to external storage...

7.5CVSS7.1AI score0.00402EPSS
CVE
CVE
•added 2020/02/04 7:8 p.m.•89 views

CVE-2019-15616

CVE-2019-15616 affects Nextcloud Server (notably Nextcloud Server 16) where dangling remote share attempts can cause DNS pollution when the system runs for extended periods. Public sources describe the vulnerability as a DNS pollution condition resulting from improper handling of remote shares. T...

4.3CVSS4.9AI score0.00765EPSS
CVE
CVE
•added 2023/03/22 6:22 p.m.•89 views

CVE-2023-25820

CVE-2023-25820 affects Nextcloud Server and Enterprise Server: if an attacker gains access to an already logged-in user session, they can brute-force the password on the confirmation endpoint. Affected ranges and patches per sources include Nextcloud Server 24.0.x < 24.0.10 and 25.0.x < 25....

7.8CVSS5.8AI score0.00235EPSS
CVE
CVE
•added 2023/04/25 4:32 p.m.•89 views

CVE-2023-28847

CVE-2023-28847 affects Nextcloud Server and Enterprise Server. Description: an attacker could brute-force the password of a share link due to missing brute-force protection. Affected versions include Nextcloud Server 24.0.0–24.0.10, 25.0.0–25.0.4, and Enterprise 23.0.0–23.0.11, plus related 24.0....

7.5CVSS5.4AI score0.00774EPSS
CVE
CVE
•added 2018/08/12 10:0 p.m.•88 views

CVE-2018-3775

CVE-2018-3775 concerns Nextcloud Server prior to version 12.0.3, where an attacker with valid user credentials could bypass two‑factor authentication due to improper authentication. The NVD entry lists CVSSv3.1 impact as high (C/H/I/H/A/H) and CVSSv2 as medium (I/P, no confidentiality/availabilit...

8.8CVSS8.7AI score0.01234EPSS
CVE
CVE
•added 2022/04/27 2:25 p.m.•88 views

CVE-2022-24888

Nextcloud Server vulnerability CVE-2022-24888 affects the file server component: prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files or folders whose names include leading or trailing control characters (\n, \r, \t, \v). The issue arises because the server filt...

5CVSS4.8AI score0.01229EPSS
CVE
CVE
•added 2025/05/16 2:2 p.m.•88 views

CVE-2025-47790

Nextcloud Server and Enterprise Server are affected by a session-handling bug that can skip the second-factor authentication after a successful login when remember_login_cookie_lifetime is set to 0 and the session times out. Affected versions: Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3...

6.4CVSS6.5AI score0.00325EPSS
CVE
CVE
•added 2021/06/01 7:50 p.m.•87 views

CVE-2021-32653

CVE-2021-32653 affects Nextcloud Server. The issue leaks user IDs to the lookup server even when user fields are not published. Patched in Nextcloud versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside updating are known. Connected sources from Gentoo GLSA and GHSA advisories corroborate...

4CVSS4AI score0.01205EPSS
CVE
CVE
•added 2023/03/27 8:0 p.m.•87 views

CVE-2023-25818

CVE-2023-25818 affects Nextcloud Server in multiple versions: 24.0.0–24.0.10 and 25.0.0–25.0.4 (and related Enterprise/server variants). The root cause is lack of brute-force protection on authentication-related endpoints (password resets), enabling potential password-guessing attacks. A throttle...

7.1CVSS6AI score0.00602EPSS
CVE
CVE
•added 2024/06/14 3:28 p.m.•87 views

CVE-2024-37882

CVE-2024-37882 affects Nextcloud Server (and Enterprise Server per advisory) where a recipient of a share with read&share permissions could reshared the item with higher permissions. The NVD entry lists higher impact on confidentiality and integrity (C/H, I/H) but no availability impact, with net...

8.1CVSS8AI score0.00538EPSS
CVE
CVE
•added 2021/10/25 9:50 p.m.•86 views

CVE-2021-41177

The CVE-2021-41177 entry affects Nextcloud Server. The issue is that before versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud did not implement a memory-cache backend for rate-limiting, so components using rate limits (e.g., AnonRateThrottle, UserRateThrottle) were not actually rate-limited on inst...

8.1CVSS7.8AI score0.015EPSS
CVE
CVE
•added 2023/11/21 10:6 p.m.•86 views

CVE-2023-48304

CVE-2023-48304 affects Nextcloud Server (and Enterprise) where an attacker could enable/disable the birthday calendar for any user on the same server. Patches exist for Nextcloud Server versions 25.0.11, 26.0.6, and 27.1.0, and for Nextcloud Enterprise Server versions 22.2.10.16, 23.0.12.11, 24.0...

4.3CVSS4.4AI score0.00604EPSS
CVE
CVE
•added 2022/05/31 4:15 p.m.•85 views

CVE-2022-29243

CVE-2022-29243 affects Nextcloud Server: insufficient input-size validation for new session names allows creation of excessively long app passwords, whose names are loaded into memory on use and can degrade performance. Affected versions are prior to 22.2.7 and 23.0.4; a fix is provided in 22.2.7...

4.3CVSS4.8AI score0.0143EPSS
CVE
CVE
•added 2023/05/26 10:49 p.m.•85 views

CVE-2023-32319

Nextcloud Server vulnerability CVE-2023-32319: Missing brute-force protection on WebDAV endpoints via basic auth allows credential brute-forcing when usernames are not emails (affects 24.0.0+; fixed in 24.0.11, 25.0.5, 26.0.0). Users should upgrade to these releases; no workarounds are documented.

8.1CVSS6.7AI score0.00697EPSS
CVE
CVE
•added 2022/08/04 5:0 p.m.•84 views

CVE-2022-31120

Summary: CVE-2022-31120 affects Nextcloud Server. The issue is that federated share events were not properly logged in the audit log, enabling potential brute-force attempts to go unnoticed and exacerbating the impact of CVE-2022-31118. What’s affected: Nextcloud Server (versions before upgrades ...

2.7CVSS4.5AI score0.00673EPSS
CVE
CVE
•added 2022/12/01 8:54 p.m.•84 views

CVE-2022-41970

CVE-2022-41970 affects Nextcloud Server prior to 24.0.7 and 25.0.1, where disabled download shares could still be accessed via preview images. As a result, images could be downloaded and the first page of document previews could be downloaded without watermark, effectively bypassing intended prot...

5.3CVSS4.4AI score0.00598EPSS
CVE
CVE
•added 2024/06/14 3:48 p.m.•84 views

CVE-2024-37887

Vulnerability summary (CVE-2024-37887) Nextcloud Server: private shared calendar events recurrence exceptions can be read by sharees. Affected for general Nextcloud Server and Enterprise Server versions as per advisory. Impact: potential information disclosure of calendar recurrence exceptions. R...

3.5CVSS3.6AI score0.00381EPSS
CVE
CVE
•added 2020/11/16 12:36 a.m.•83 views

CVE-2020-8152

CVE-2020-8152 affects Nextcloud Server 19.0.1 where server-side encryption keys are not adequately protected, enabling an attacker to replace the public key and later decrypt data. The vulnerability is described in Nextcloud advisory NC-SA-2020-040 and related disclosures; the issue concerns impr...

4.4CVSS4.9AI score0.0032EPSS
CVE
CVE
•added 2022/11/25 12:0 a.m.•83 views

CVE-2022-39346

CVE-2022-39346 affects Nextcloud Server. Affected versions did not properly limit user display names, which could allow a malicious user to overload the backing database and trigger a denial of service. OpenSUSE advisory confirms the issue and attributes exploitation to missing length validation ...

6.5CVSS4.9AI score0.0099EPSS
CVE
CVE
•added 2024/11/15 5:3 p.m.•83 views

CVE-2024-52515

The CVE-2024-52515 entry concerns Nextcloud Server where, after an admin enables the default-disabled SVG preview provider, a malicious user could upload an SVG file that references paths, causing the preview to render another file’s contents. Technical details across connected sources confirm th...

6.5CVSS5.5AI score0.00652EPSS
CVE
CVE
•added 2020/02/04 7:8 p.m.•82 views

CVE-2019-15617

CVE-2019-15617 affects Nextcloud Server (17.0.0) and arises from a missing check that allowed an attacker to set up a new second factor during login. Public documents reference the vulnerability and status across multiple sources (NVD/OSV/openvas) with remediation guidance generally recommending ...

5.5CVSS5.6AI score0.00607EPSS
CVE
CVE
•added 2022/05/20 4:0 p.m.•82 views

CVE-2022-29163

CVE-2022-29163 affects Nextcloud Server: prior to versions 22.2.6 and 23.0.3, a user could create a link that is not password protected even when admin-required password protection is enforced. A patch exists in 22.2.6 and 23.0.3. No public workarounds are listed. Upgrade to 22.2.6+ or 23.0.3+ to...

4.3CVSS4.2AI score0.01015EPSS
CVE
CVE
•added 2023/02/22 6:21 p.m.•82 views

CVE-2023-25579

Summary (CVE-2023-25579) Nextcloud server is affected by a directory traversal in OC\Files\Node\Folder::getFullPath(), where the function validated/normalized strings in the wrong order. This can let an attacker craft paths to escape their own space and overwrite data belonging to other users. Th...

7.5CVSS6.5AI score0.00505EPSS
CVE
CVE
•added 2023/11/21 9:26 p.m.•82 views

CVE-2023-48301

Technical details about CVE-2023-48301 are not provided in the connected documents. The initial entry describes a link-injection fix in specific Nextcloud Server/Enterprise Server versions, but no explicit affected versions or remediation details are given in the supplied sources. Monitor for upd...

5.4CVSS4.4AI score0.0064EPSS
CVE
CVE
•added 2021/06/01 8:55 p.m.•81 views

CVE-2021-32655

The CVE-2021-32655 entry concerns Nextcloud Server: in versions prior to 19.0.11, 20.0.10, and 21.0.2 an attacker could convert a Files Drop link into a federated share. When the sharing user opens the panel and removes the Create privileges from this unexpected share, the system silently grants ...

3.5CVSS4AI score0.01034EPSS
CVE
CVE
•added 2022/09/16 11:10 p.m.•81 views

CVE-2022-39211

CVE-2022-39211 corresponds to a Server-Side Request Forgery (SSRF) in Nextcloud Server caused by a filter/domain-check bypass that allows locally running web services to be discovered and requested. Affected versions include Nextcloud Server prior to 23.0.8 and 24.0.4, and Nextcloud Enterprise Se...

5.3CVSS4.5AI score0.00739EPSS
CVE
CVE
•added 2022/10/27 12:0 a.m.•81 views

CVE-2022-39329

CVE-2022-39329 affects Nextcloud Server (and Enterprise Server) prior to versions 23.0.9 and 24.0.5, where information could be exposed without admin-controlled access and without database access. The issue is resolved by patches in 23.0.9 and 24.0.5, with no public workarounds reported. Affected...

5.3CVSS4.4AI score0.006EPSS
CVE
CVE
•added 2023/06/23 8:53 p.m.•81 views

CVE-2023-35927

The CVE-2023-35927 issue affects Nextcloud Server and Enterprise Server where two trusted servers exchange share secrets and an attacker could modify or delete VCards in the origin server’s system address book, impacting user search and avatar menus. The initial description lists affected lines f...

8.1CVSS7.5AI score0.00805EPSS
CVE
CVE
•added 2023/10/13 12:7 p.m.•81 views

CVE-2023-39960

Technical details for CVE-2023-39960 are not publicly available in the provided documents; monitor for updates.

7.5CVSS6AI score0.00575EPSS
CVE
CVE
•added 2023/11/21 9:53 p.m.•81 views

CVE-2023-48302

Nextcloud CVE-2023-48302 concerns rendering HTML code pasted via Ctrl+Shift+V, which could disclose markup to other users. Affected versions include Nextcloud Server and Enterprise Server up to 25.0.12/25.0.0–25.0.12, 26.0.x up to 26.0.7/26.0.8, and 27.1.x up to 27.1.2/27.1.3. The issue is fixed ...

5.4CVSS4.5AI score0.00571EPSS
CVE
CVE
•added 2021/06/11 3:49 p.m.•80 views

CVE-2021-22915

Concrete details from connected documents indicate CVE-2021-22915 affects Nextcloud server versions up to 19.0.11, 20.0.10, 21.0.2, due to IPv6 subnets not being included in rate-limiting for brute-force protection. The vulnerability allows bypassing rate-limit protections, with impact described ...

9.8CVSS9.2AI score0.01739EPSS
CVE
CVE
•added 2023/03/30 6:57 p.m.•80 views

CVE-2023-28835

CVE-2023-28835 affects Nextcloud Server where the generated fallback password for shares used a weak random-number generator. This could allow brute-forcing the share password if no password policy is enabled. Mitigation: upgrade Nextcloud Server to 24.0.10 or 25.0.4 (or later) or enable a passwo...

7.5CVSS5.5AI score0.0054EPSS
CVE
CVE
•added 2024/11/15 5:6 p.m.•80 views

CVE-2024-52514

Summary of CVE-2024-52514 (Nextcloud Server) : The vulnerability is an access control error where, after a share is blocked by file access controls, a user can copy an intermediate folder and subsequently access blocked files based on user permissions. This affects Nextcloud Server (self-hosted f...

4.1CVSS4.3AI score0.00471EPSS
CVE
CVE
•added 2020/02/04 7:8 p.m.•79 views

CVE-2020-8121

Nextcloud Server 14.0.4 contains a bug where data could be exposed via reshared link shares beyond what the sharer intended. Evidence from multiple sources shows this could allow access to extended data in reshared links, including expired reshared links that still grant access to the full folder...

8.1CVSS7.9AI score0.01036EPSS
CVE
CVE
•added 2023/05/26 5:21 p.m.•78 views

CVE-2023-32318

Technical details for CVE-2023-32318 are not publicly available in the provided Connected documents. Please monitor for official disclosures or updated entries.

7.2CVSS6.5AI score0.00209EPSS
CVE
CVE
•added 2022/09/15 10:0 p.m.•77 views

CVE-2022-36074

The CVE-2022-36074 entry concerns Nextcloud Server where information disclosure occurs because the server fails to strip the Authorization header during HTTP downgrades. Affected products/versions include Nextcloud Server prior to 23.0.7 and 24.0.3 (enterprise versions 22.2.11, 23.0.7, or 24.0.3)...

7.5CVSS6.8AI score0.00606EPSS
CVE
CVE
•added 2023/08/10 1:50 p.m.•77 views

CVE-2023-39952

CVE-2023-39952 affects Nextcloud Server: a user could access files inside a subfolder of a groupfolder despite advanced permissions. Affected are Nextcloud Server versions starting at 22.0.0 up to but not including the patches listed for 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0....

6.5CVSS6.3AI score0.00809EPSS
CVE
CVE
•added 2023/08/10 5:7 p.m.•77 views

CVE-2023-39959

CVE-2023-39959 affects Nextcloud Server. Unauthenticated users could send a DAV request to determine whether a calendar or address book with a given identifier exists on victims’ accounts. Affected are Nextcloud Server versions prior to 25.0.9, 26.0.4, and 27.0.1 (and corresponding Enterprise Ser...

5.3CVSS4.5AI score0.00488EPSS
CVE
CVE
•added 2017/04/05 8:0 p.m.•76 views

CVE-2017-0888

CVE-2017-0888 affects Nextcloud Server versions prior to 9.0.55 and prior to 10.0.2, with a Content-Spoofing vulnerability in the files app. The top navigation bar in the files list contains partially user-controllable input that can misrepresent information. Public sources in the connected recor...

4.3CVSS4.7AI score0.01537EPSS
CVE
CVE
•added 2024/06/14 3:36 p.m.•76 views

CVE-2024-37884

CVE-2024-37884 concerns Nextcloud Server where a malicious user could send delete requests for old file versions that were shared with read permissions. The initial description specifies upgraded paths: Nextcloud Server should be updated to 26.0.12 or 27.1.7 or 28.0.3, and Nextcloud Enterprise Se...

5.4CVSS4.5AI score0.00371EPSS
CVE
CVE
•added 2024/11/15 4:55 p.m.•75 views

CVE-2024-52516

CVE-2024-52516 - Nextcloud Server group-based sharing not revoked The connected PT-Security advisory confirms concrete details: Nextcloud Server (and Enterprise Server) versions prior to specific fixed releases are affected. When a user is removed from a group, shares restricted to that group are...

4.3CVSS3.6AI score0.00419EPSS
Total number of security vulnerabilities189