Lucene search
K
NextcloudNextcloud Server

189 matches found

CVE
CVE
added 2024/11/15 4:43 p.m.75 views

CVE-2024-52519

CVE-2024-52519 affects Nextcloud Server and Nextcloud Enterprise Server. The issue is that OAuth2 client secrets were stored in a recoverable form, enabling an attacker with access to a database backup and the Nextcloud config file to decrypt them. Public documentation in the provided sources rec...

8.2CVSS3.3AI score0.00491EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.74 views

CVE-2016-9459

CVE-2016-9459 affects Nextcloud Server < 9.0.52 and ownCloud Server

6.1CVSS5.8AI score0.01493EPSS
CVE
CVE
added 2017/04/05 8:0 p.m.74 views

CVE-2017-0883

CVE-2017-0883 affects Nextcloud Server before 9.0.55 and 10.0.2, where a permission escalation in the OCS sharing API allows an authenticated user to reshare items with elevated permissions. The issue enables an attacker to edit files in a share despite having only read access for folders/files t...

6.4CVSS6.1AI score0.00593EPSS
CVE
CVE
added 2021/03/03 5:39 p.m.74 views

CVE-2021-22878

CVE-2021-22878 affects Nextcloud Server prior to 20.0.6, where a reflected XSS exists due to insufficient sanitization in OC.Notification.show. The vulnerability is described across multiple sources (e.g., CNVD/CNNVD, OSV, CVE lists) and is mitigated by upgrading Nextcloud to 20.0.6 or later (per...

4.8CVSS5.1AI score0.01059EPSS
CVE
CVE
added 2022/12/01 8:38 p.m.74 views

CVE-2022-41968

Nextcloud Server vulnerability CVE-2022-41968: calendar name lengths were not validated before writing to the database, affecting versions prior to 23.0.10 and 24.0.5. Patches are available in 23.0.10 and 24.0.5; no public workarounds are documented. Connected advisories corroborate the issue as ...

5.3CVSS4.5AI score0.00846EPSS
CVE
CVE
added 2023/03/30 6:36 p.m.74 views

CVE-2023-28644

CVE-2023-28644 affects Nextcloud Server 25.x prior to 25.0.3, where an inefficient fetch operation can degrade performance and lead to a denial of service. The X.Y issue (server-side fetch) is characterized as a resource-management bottleneck that may saturate server resources, with impact limite...

7.5CVSS6.3AI score0.00624EPSS
CVE
CVE
added 2023/06/22 8:57 p.m.74 views

CVE-2023-32320

CVE-2023-32320 affects Nextcloud Server and Enterprise Server where, under parallel requests, the system could ignore the configured request limit and process faulty requests beyond the limit, enabling brute-force-like access to protected details. Affected versions include Nextcloud Server 25.0.7...

8.7CVSS7.7AI score0.00872EPSS
CVE
CVE
added 2023/08/10 5:18 p.m.74 views

CVE-2023-39961

Technical details about CVE-2023-39961 are not provided in the connected documents. The sources summarize Nextcloud fixes but do not expose exploit specifics or affected versions beyond the initial description. Monitor for updates.

4.3CVSS4.1AI score0.0047EPSS
CVE
CVE
added 2020/11/16 12:36 a.m.73 views

CVE-2020-8259

Nextcloud Server 19.0.1 is affected by CVE-2020-8259 due to insufficient protection of server-side encryption keys, allowing an attacker to replace the encryption keys. Exploitation details are not provided in the connected docs; the issue is described as a vulnerability in the key protection mec...

8.1CVSS7.9AI score0.00727EPSS
CVE
CVE
added 2023/02/24 11:39 p.m.73 views

CVE-2023-25821

Nextcloud CVE-2023-25821 describes an Improper Access Control in Nextcloud Server prior to 24.0.7 and 25.0.1 where the Secure view for internal shares can be bypassed if reshare permissions are granted. Affected versions are 24.0.4–24.0.6 and 25.0.0–25.0.0 (and other lines indicate similar ranges...

7.5CVSS6.2AI score0.00946EPSS
CVE
CVE
added 2023/03/31 10:10 p.m.73 views

CVE-2023-28844

CVE-2023-28844 affects Nextcloud Server; an access-control error allows users who should not download a file to retrieve an older version and distribute it. Affected versions were prior to 24.0.10 and prior to 25.0.4. The issue is mitigated by upgrading to Nextcloud Server 24.0.10 or 25.0.4 (or l...

6.5CVSS5.8AI score0.0062EPSS
CVE
CVE
added 2023/11/21 10:17 p.m.73 views

CVE-2023-48305

CVE-2023-48305: Nextcloud Server and Nextcloud Enterprise Server logged user passwords in plaintext to log files when loglevel was set to debug in affected releases. Affected versions: Nextcloud Server/Enterprise Server up to 25.0.10.x, 25.0.12.x, 26.0.5.x, and 27.0.x (prior to patches). Root cau...

4.4CVSS4.3AI score0.00246EPSS
CVE
CVE
added 2024/11/15 4:30 p.m.73 views

CVE-2024-52525

CVE-2024-52525 – Nextcloud Server : The vulnerability concerns how the server handles user passwords in memory. Under certain conditions, a user password could be stored unencrypted in the PHP process memory; although session data is encrypted when stored in Redis or disk, a malicious process wit...

7.5CVSS3.7AI score0.00338EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.72 views

CVE-2017-0895

The CVE-2017-0895 vulnerability affects Nextcloud Server before 10.0.4 and 11.0.2, where a logical error allows disclosure of calendar and addressbook names to other logged‑in users. No calendar/addressbook content is exposed. Affected versions are fixed in the NC-SA-2017-012 advisory, with Nextc...

3.5CVSS3.9AI score0.00724EPSS
CVE
CVE
added 2023/04/17 9:27 p.m.72 views

CVE-2023-30539

Nextcloud Server/server family suffers an access control vulnerability where system tag based file access control or file retention rules can be abused to limit or grant access. Affected: Nextcloud Server, Enterprise Server, and related Files automated tagging app. Root cause: misapplied access c...

8.8CVSS7.5AI score0.00627EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.71 views

CVE-2020-8120

CVE-2020-8120 describes a reflected XSS in Nextcloud Server 16.0.1 related to SVG logo generation. The issue affects the SVG rendering path (logo) via user-controllable inputs and has a CVSS v3.1 base score of 6.1 (MEDIUM). Public references (NVD/CVE records and Nextcloud advisory) confirm the vu...

6.1CVSS6AI score0.00916EPSS
CVE
CVE
added 2021/03/03 5:39 p.m.71 views

CVE-2021-22877

CVE-2021-22877 affects Nextcloud Server prior to 20.0.6, where a missing user check can cause a user’s own credentials to be populated for other users’ external storage configuration when that configuration has not yet been set. This is documented across multiple sources (NVD entry, CNVD/CNNVD su...

6.5CVSS6.5AI score0.01686EPSS
CVE
CVE
added 2023/06/23 8:58 p.m.71 views

CVE-2023-35928

CVE-2023-35928 affects Nextcloud Server and Enterprise Server prior to the patched versions. A user could abuse a functionality to access another user’s login credentials and take over the account. Affected ranges include Nextcloud Server 25.0.0–25.0.7 and 26.0.0–26.0.2; Enterprise Server 19.0.0–...

8.8CVSS8.5AI score0.00981EPSS
CVE
CVE
added 2023/08/10 5:4 p.m.71 views

CVE-2023-39958

CVE-2023-39958 affects Nextcloud Server where, in versions 22.0.0 through 22.2.x, 23.x, 24.x, 25.x, 26.x and 27.x, missing protection allowed brute-forcing of OAuth2 client secrets. The issue is mitigated by patches in Nextcloud Server: 25.0.9, 26.0.4, 27.0.1 and corresponding Enterprise Server p...

5.8CVSS5.2AI score0.00577EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.70 views

CVE-2016-9463

This CVE affects Nextcloud Server prior to 9.0.54 and 10.0.1 and ownCloud Server prior to 9.1.2, 9.0.6, and 8.2.9. The issue is an SMB authentication backend that, when enabled, authenticates against an SMB server and incorrectly treats a connection to an SMB server with anonymous authentication ...

8.1CVSS8.2AI score0.04095EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.70 views

CVE-2019-15612

Nextcloud Server 15.0.2 is affected by CVE-2019-15612, where 2FA sessions are not properly expired after a user password reset. The issue is described as a bug in Nextcloud Server 15.0.2 that leaves pending 2FA logins active after password changes. Public references include the NVD entry and the ...

5.9CVSS6AI score0.0032EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.70 views

CVE-2020-8117

CVE-2020-8117 affects Nextcloud Server 14.0.3, involving improper preservation of permissions that leaks event details when sharing a non-public calendar event. Public references (NVD, CVE listing, SUSE, CNVD, OpenVAS/NC-SA-2020-013) confirm the issue name and description; CVSS metrics from NVD s...

4.3CVSS4.5AI score0.00714EPSS
CVE
CVE
added 2022/10/27 12:0 a.m.70 views

CVE-2022-39330

CVE-2022-39330 affects Nextcloud Server prior to 23.0.10 and 24.0.6, and Nextcloud Enterprise Server prior to 22.2.10, 23.0.10, 24.0.6. Description: a logged-in attacker can cause resource exhaustion (database/cpu load) by abusing sharee recommendations with the Circles feature; patches exist in ...

4.8CVSS4.5AI score0.00819EPSS
CVE
CVE
added 2023/06/23 8:44 p.m.70 views

CVE-2023-35171

CVE-2023-35171 affects Nextcloud Server and Nextcloud Enterprise Server, with the issue present from 26.0.0 up to, but not including, 26.0.2. An attacker could craft a URL that redirects a victim from a legitimate domain to the attacker’s site, enabling phishing-like behavior. A fix is available ...

6.1CVSS5.1AI score0.00593EPSS
CVE
CVE
added 2023/11/21 10:0 p.m.70 views

CVE-2023-48303

Multiple PTSecurity advisories describe Nextcloud Server/Enterprise Server vulnerabilities with concrete versioned fixes. Issues cover: (1) reading external storage credentials or stored global credentials from client sessions or API responses; (2) insufficient authentication or session‑level pro...

2.7CVSS3.5AI score0.00671EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.69 views

CVE-2017-0893

CVE-2017-0893 affects Nextcloud Server prior to 9.0.58, 10.0.5, and 11.0.3. A vulnerable JavaScript library used for sanitizing untrusted input enables a cross-site scripting (XSS) issue due to a Safari 10.1/10.2 behavior change. Nextcloud notes a strict Content-Security-Policy that mitigates exp...

5.4CVSS5.2AI score0.00643EPSS
CVE
CVE
added 2023/03/30 6:49 p.m.69 views

CVE-2023-28833

CVE-2023-28833 affects Nextcloud Server’s theming feature where admins can upload a logo or favicon with unrestricted filenames, enabling overwriting files in the appdata directory. Root cause: lack of filename validation for logo/favicon uploads. Impact: potential data modification via file over...

8.8CVSS6.1AI score0.00762EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.68 views

CVE-2020-8122

CVE-2020-8122 affects Nextcloud Server 14.0.3, where a missing authorization check on share expiration updates lets a recipient extend the expiration date of a share they received. The root cause is an inadequate validation of the requester as the owner when modifying a share’s expiration. This v...

4.3CVSS4.7AI score0.00684EPSS
CVE
CVE
added 2024/11/15 4:41 p.m.68 views

CVE-2024-52520

The CVE-2024-52520 entries describe a vulnerability in Nextcloud Server where a pre-flighted HEAD request allows the link reference provider to be tricked into downloading larger websites than intended to extract open-graph data. Affected software includes Nextcloud Server and Enterprise Server w...

6.5CVSS5.4AI score0.00779EPSS
CVE
CVE
added 2022/10/27 12:0 a.m.67 views

CVE-2022-39364

CVE-2022-39364 affects Nextcloud Server and Enterprise Server: reading nextcloud.log can reveal credentials to connect to a SharePoint service. Affected versions include Nextcloud Server prior to 23.0.9 and prior to 24.0.5; Nextcloud Enterprise Server prior to 22.2.10.5, 23.0.9, and 24.0.5. Patch...

6.5CVSS5.3AI score0.00464EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.66 views

CVE-2016-9464

CVE-2016-9464 concerns Nextcloud Server prior to 9.0.54 and 10.0.0, where an improper authorization check on removing shares exists. The Sharing Backend differentiates between user and group shares, but the previous API implementation could unshare a file for all users in a group when a group sha...

4.3CVSS4.3AI score0.01624EPSS
CVE
CVE
added 2017/04/05 8:0 p.m.66 views

CVE-2017-0885

CVE-2017-0885 affects Nextcloud Server prior to 9.0.55 and 10.0.2. An error-message disclosure in write-only shares allows an adversary with access to enumerate existing files and subfolders by comparing exception messages. The issue is documented across multiple sources (Nextcloud advisory NC-SA...

4.3CVSS5.1AI score0.00899EPSS
CVE
CVE
added 2018/07/05 4:0 p.m.66 views

CVE-2018-3761

Nextcloud Server before 12.0.8 and 13.0.3 is affected by an improper authentication flaw at the OAuth2 token endpoint. The root cause is missing checks that could allow issuing new tokens if the OAuth2 client was partly compromised. Public disclosures reference CVE-2018-3761, with vendor advisori...

8.1CVSS8AI score0.01657EPSS
CVE
CVE
added 2026/06/01 5:13 p.m.66 views

CVE-2026-45810

Summary: CVE-2026-45810 affects Nextcloud Server, where a missing relation check allows authenticated users with access to any file comment to read the content of all comments. Affected versions are 31.0.0–31.0.11 and 32.0.0–32.0.2; fixed in 31.0.12 and 32.0.3. Enterprise Server upgrades are prov...

6.8CVSS5.7AI score0.00252EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.65 views

CVE-2019-15619

CVE-2019-15619 affects Nextcloud Suite components: Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3, and Nextcloud Deck 0.6.5. The root cause is improper neutralization of file names, conversation names and board names, leading to cross-site scripting when linking these items within a project. Docum...

4.8CVSS5AI score0.0084EPSS
CVE
CVE
added 2024/11/15 4:38 p.m.65 views

CVE-2024-52521

The CVE records a vulnerability in Nextcloud Server where MD5 hashes were used to check background jobs for uniqueness, allowing a background job with specific arguments to be falsely identified as already existing and not queued. Technical details in connected documents confirm the root cause (M...

5.3CVSS3.6AI score0.00386EPSS
CVE
CVE
added 2025/12/05 4:22 p.m.65 views

CVE-2025-66512

Nextcloud Server and Server Enterprise before 31.0.12 and 32.0.3 have a missing sanitization that can be exploited to bypass content security policy when a user is tricked into viewing a crafted SVG outside the Nextcloud UI, enabling cross-site scripting. Fedora advisories FEDORA-2025-86c0829159 ...

6.1CVSS6.2AI score0.00237EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.64 views

CVE-2019-15618

CVE-2019-15618 affects Nextcloud Server Updater up to at least 15.0.5, where missing HTML escaping in the Updater allows a reflected XSS when started from a malicious location. The vulnerability is a client-side reflection (no server-state compromise described) that can lead to execution of arbit...

4.8CVSS4.9AI score0.00729EPSS
CVE
CVE
added 2023/03/30 6:31 p.m.64 views

CVE-2023-28643

CVE-2023-28643 affects Nextcloud Server. When two shares with the same name are sent to the same recipient while a memory cache is enabled, the second share can overwrite the first instead of being renamed to “{name} (2)”. This is documented across multiple sources in the connected set and is mit...

8.8CVSS6.8AI score0.00792EPSS
CVE
CVE
added 2024/06/14 3:5 p.m.64 views

CVE-2024-37314

CVE-2024-37314 concerns Nextcloud Photos enabling removal of photos from a registered user’s album. The entry notes remediation by upgrading Nextcloud Server to 25.0.7 or 26.0.2 and Nextcloud Enterprise Server to 25.0.7 or 26.0.2. Connected documents show multiple related Nextcloud vulnerabilitie...

3.5CVSS3.8AI score0.00413EPSS
CVE
CVE
added 2017/04/05 8:0 p.m.63 views

CVE-2017-0887

CVE-2017-0887 affects Nextcloud Server before 9.0.55 and before 10.0.2, where an authenticated user can bypass quota limits due to improper sanitization of the OC-Total-Length HTTP header, allowing exceedance of configured quotas. The issue is documented across multiple sources (NVD/CNVD/OSV/Open...

4.3CVSS4.5AI score0.00888EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.63 views

CVE-2017-0892

Affected software: Nextcloud Server (

4.3CVSS4.2AI score0.00985EPSS
CVE
CVE
added 2018/03/28 8:0 p.m.63 views

CVE-2017-0936

CVE-2017-0936 affects Nextcloud Server prior to 11.0.7 and 12.0.5, where an Authorization Bypass Through User-Controlled Key vulnerability exists due to a missing ownership check. This allows logged-in users to change the scope of app passwords for other users. The app passwords themselves are no...

5.7CVSS5.3AI score0.00778EPSS
CVE
CVE
added 2018/10/30 9:0 p.m.63 views

CVE-2018-16467

CVE-2018-16467 (Nextcloud Server before 14.0.0) is an improper access‑control vulnerability enabling unauthenticated attackers to bypass password protection for previews of single-file shares via the vulnerable publicpreview.php endpoint. The issue can disclose previews (notably image files) with...

5.3CVSS5.2AI score0.01068EPSS
CVE
CVE
added 2023/02/13 8:22 p.m.63 views

CVE-2023-25161

CVE-2023-25161 affects Nextcloud Server (and Enterprise Server) with missing rate limiting on the password reset function prior to versions 25.0.1, 24.0.8, and 23.0.12. The root issue is lack of rate limiting, which can cause service slowdown, storage overflow, or cost impact when external email ...

5.3CVSS4.8AI score0.00729EPSS
CVE
CVE
added 2018/07/05 4:0 p.m.62 views

CVE-2018-3762

CVE-2018-3762 affects Nextcloud Server prior to 12.0.8 and 13.0.3, where improper checks of dropped permissions for incoming shares let a user request previews for files they should not access. Root cause: inadequate enforcement of access control on image preview requests. Impact stated in source...

4.3CVSS4.8AI score0.00888EPSS
CVE
CVE
added 2022/07/05 5:15 p.m.62 views

CVE-2022-31014

CVE-2022-31014 affects Nextcloud Server; SMTP command injection via iCalendar attachments through newline handling. Affected versions are Nextcloud Server up to 22.2.7/8, 23.x up to 23.0.5, and 24.x up to 24.0.1 (per sources). The root cause is insufficient sanitization of newline characters in S...

5.4CVSS4.8AI score0.02421EPSS
CVE
CVE
added 2023/04/03 4:19 p.m.62 views

CVE-2023-28834

Summary of CVE-2023-28834 (Nextcloud Server information disclosure) Affected: Nextcloud Server 24.0.0–24.0.6, 25.0.0–25.0.4; Nextcloud Enterprise Server 23.0.0–23.0.11, 24.0.0–24.0.6, 25.0.0–25.0.4. Root cause: An API endpoint allowed a user to obtain the full data directory path of the Nextcloud...

4.3CVSS4AI score0.00813EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.61 views

CVE-2016-9467

CVE-2016-9467 involves content spoofing in the files app of Nextcloud Server and ownCloud Server. Affected versions: Nextcloud Server < 9.0.54 and 10.0.1; ownCloud Server

5.3CVSS5.8AI score0.02972EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.61 views

CVE-2017-0894

Nextcloud Server prior to 11.0.3 is affected by CVE-2017-0894 due to a logical error that discloses valid share tokens for public calendars, potentially letting an attacker access publicly shared calendars without the token. Affected product: Nextcloud Server; vulnerable component: calendar share...

4.3CVSS4.5AI score0.01169EPSS
Total number of security vulnerabilities189