189 matches found
CVE-2024-52519
CVE-2024-52519 affects Nextcloud Server and Nextcloud Enterprise Server. The issue is that OAuth2 client secrets were stored in a recoverable form, enabling an attacker with access to a database backup and the Nextcloud config file to decrypt them. Public documentation in the provided sources rec...
CVE-2016-9459
CVE-2016-9459 affects Nextcloud Server < 9.0.52 and ownCloud Server
CVE-2017-0883
CVE-2017-0883 affects Nextcloud Server before 9.0.55 and 10.0.2, where a permission escalation in the OCS sharing API allows an authenticated user to reshare items with elevated permissions. The issue enables an attacker to edit files in a share despite having only read access for folders/files t...
CVE-2021-22878
CVE-2021-22878 affects Nextcloud Server prior to 20.0.6, where a reflected XSS exists due to insufficient sanitization in OC.Notification.show. The vulnerability is described across multiple sources (e.g., CNVD/CNNVD, OSV, CVE lists) and is mitigated by upgrading Nextcloud to 20.0.6 or later (per...
CVE-2022-41968
Nextcloud Server vulnerability CVE-2022-41968: calendar name lengths were not validated before writing to the database, affecting versions prior to 23.0.10 and 24.0.5. Patches are available in 23.0.10 and 24.0.5; no public workarounds are documented. Connected advisories corroborate the issue as ...
CVE-2023-28644
CVE-2023-28644 affects Nextcloud Server 25.x prior to 25.0.3, where an inefficient fetch operation can degrade performance and lead to a denial of service. The X.Y issue (server-side fetch) is characterized as a resource-management bottleneck that may saturate server resources, with impact limite...
CVE-2023-32320
CVE-2023-32320 affects Nextcloud Server and Enterprise Server where, under parallel requests, the system could ignore the configured request limit and process faulty requests beyond the limit, enabling brute-force-like access to protected details. Affected versions include Nextcloud Server 25.0.7...
CVE-2023-39961
Technical details about CVE-2023-39961 are not provided in the connected documents. The sources summarize Nextcloud fixes but do not expose exploit specifics or affected versions beyond the initial description. Monitor for updates.
CVE-2020-8259
Nextcloud Server 19.0.1 is affected by CVE-2020-8259 due to insufficient protection of server-side encryption keys, allowing an attacker to replace the encryption keys. Exploitation details are not provided in the connected docs; the issue is described as a vulnerability in the key protection mec...
CVE-2023-25821
Nextcloud CVE-2023-25821 describes an Improper Access Control in Nextcloud Server prior to 24.0.7 and 25.0.1 where the Secure view for internal shares can be bypassed if reshare permissions are granted. Affected versions are 24.0.4–24.0.6 and 25.0.0–25.0.0 (and other lines indicate similar ranges...
CVE-2023-28844
CVE-2023-28844 affects Nextcloud Server; an access-control error allows users who should not download a file to retrieve an older version and distribute it. Affected versions were prior to 24.0.10 and prior to 25.0.4. The issue is mitigated by upgrading to Nextcloud Server 24.0.10 or 25.0.4 (or l...
CVE-2023-48305
CVE-2023-48305: Nextcloud Server and Nextcloud Enterprise Server logged user passwords in plaintext to log files when loglevel was set to debug in affected releases. Affected versions: Nextcloud Server/Enterprise Server up to 25.0.10.x, 25.0.12.x, 26.0.5.x, and 27.0.x (prior to patches). Root cau...
CVE-2024-52525
CVE-2024-52525 – Nextcloud Server : The vulnerability concerns how the server handles user passwords in memory. Under certain conditions, a user password could be stored unencrypted in the PHP process memory; although session data is encrypted when stored in Redis or disk, a malicious process wit...
CVE-2017-0895
The CVE-2017-0895 vulnerability affects Nextcloud Server before 10.0.4 and 11.0.2, where a logical error allows disclosure of calendar and addressbook names to other logged‑in users. No calendar/addressbook content is exposed. Affected versions are fixed in the NC-SA-2017-012 advisory, with Nextc...
CVE-2023-30539
Nextcloud Server/server family suffers an access control vulnerability where system tag based file access control or file retention rules can be abused to limit or grant access. Affected: Nextcloud Server, Enterprise Server, and related Files automated tagging app. Root cause: misapplied access c...
CVE-2020-8120
CVE-2020-8120 describes a reflected XSS in Nextcloud Server 16.0.1 related to SVG logo generation. The issue affects the SVG rendering path (logo) via user-controllable inputs and has a CVSS v3.1 base score of 6.1 (MEDIUM). Public references (NVD/CVE records and Nextcloud advisory) confirm the vu...
CVE-2021-22877
CVE-2021-22877 affects Nextcloud Server prior to 20.0.6, where a missing user check can cause a user’s own credentials to be populated for other users’ external storage configuration when that configuration has not yet been set. This is documented across multiple sources (NVD entry, CNVD/CNNVD su...
CVE-2023-35928
CVE-2023-35928 affects Nextcloud Server and Enterprise Server prior to the patched versions. A user could abuse a functionality to access another user’s login credentials and take over the account. Affected ranges include Nextcloud Server 25.0.0–25.0.7 and 26.0.0–26.0.2; Enterprise Server 19.0.0–...
CVE-2023-39958
CVE-2023-39958 affects Nextcloud Server where, in versions 22.0.0 through 22.2.x, 23.x, 24.x, 25.x, 26.x and 27.x, missing protection allowed brute-forcing of OAuth2 client secrets. The issue is mitigated by patches in Nextcloud Server: 25.0.9, 26.0.4, 27.0.1 and corresponding Enterprise Server p...
CVE-2016-9463
This CVE affects Nextcloud Server prior to 9.0.54 and 10.0.1 and ownCloud Server prior to 9.1.2, 9.0.6, and 8.2.9. The issue is an SMB authentication backend that, when enabled, authenticates against an SMB server and incorrectly treats a connection to an SMB server with anonymous authentication ...
CVE-2019-15612
Nextcloud Server 15.0.2 is affected by CVE-2019-15612, where 2FA sessions are not properly expired after a user password reset. The issue is described as a bug in Nextcloud Server 15.0.2 that leaves pending 2FA logins active after password changes. Public references include the NVD entry and the ...
CVE-2020-8117
CVE-2020-8117 affects Nextcloud Server 14.0.3, involving improper preservation of permissions that leaks event details when sharing a non-public calendar event. Public references (NVD, CVE listing, SUSE, CNVD, OpenVAS/NC-SA-2020-013) confirm the issue name and description; CVSS metrics from NVD s...
CVE-2022-39330
CVE-2022-39330 affects Nextcloud Server prior to 23.0.10 and 24.0.6, and Nextcloud Enterprise Server prior to 22.2.10, 23.0.10, 24.0.6. Description: a logged-in attacker can cause resource exhaustion (database/cpu load) by abusing sharee recommendations with the Circles feature; patches exist in ...
CVE-2023-35171
CVE-2023-35171 affects Nextcloud Server and Nextcloud Enterprise Server, with the issue present from 26.0.0 up to, but not including, 26.0.2. An attacker could craft a URL that redirects a victim from a legitimate domain to the attacker’s site, enabling phishing-like behavior. A fix is available ...
CVE-2023-48303
Multiple PTSecurity advisories describe Nextcloud Server/Enterprise Server vulnerabilities with concrete versioned fixes. Issues cover: (1) reading external storage credentials or stored global credentials from client sessions or API responses; (2) insufficient authentication or session‑level pro...
CVE-2017-0893
CVE-2017-0893 affects Nextcloud Server prior to 9.0.58, 10.0.5, and 11.0.3. A vulnerable JavaScript library used for sanitizing untrusted input enables a cross-site scripting (XSS) issue due to a Safari 10.1/10.2 behavior change. Nextcloud notes a strict Content-Security-Policy that mitigates exp...
CVE-2023-28833
CVE-2023-28833 affects Nextcloud Server’s theming feature where admins can upload a logo or favicon with unrestricted filenames, enabling overwriting files in the appdata directory. Root cause: lack of filename validation for logo/favicon uploads. Impact: potential data modification via file over...
CVE-2020-8122
CVE-2020-8122 affects Nextcloud Server 14.0.3, where a missing authorization check on share expiration updates lets a recipient extend the expiration date of a share they received. The root cause is an inadequate validation of the requester as the owner when modifying a share’s expiration. This v...
CVE-2024-52520
The CVE-2024-52520 entries describe a vulnerability in Nextcloud Server where a pre-flighted HEAD request allows the link reference provider to be tricked into downloading larger websites than intended to extract open-graph data. Affected software includes Nextcloud Server and Enterprise Server w...
CVE-2022-39364
CVE-2022-39364 affects Nextcloud Server and Enterprise Server: reading nextcloud.log can reveal credentials to connect to a SharePoint service. Affected versions include Nextcloud Server prior to 23.0.9 and prior to 24.0.5; Nextcloud Enterprise Server prior to 22.2.10.5, 23.0.9, and 24.0.5. Patch...
CVE-2016-9464
CVE-2016-9464 concerns Nextcloud Server prior to 9.0.54 and 10.0.0, where an improper authorization check on removing shares exists. The Sharing Backend differentiates between user and group shares, but the previous API implementation could unshare a file for all users in a group when a group sha...
CVE-2017-0885
CVE-2017-0885 affects Nextcloud Server prior to 9.0.55 and 10.0.2. An error-message disclosure in write-only shares allows an adversary with access to enumerate existing files and subfolders by comparing exception messages. The issue is documented across multiple sources (Nextcloud advisory NC-SA...
CVE-2018-3761
Nextcloud Server before 12.0.8 and 13.0.3 is affected by an improper authentication flaw at the OAuth2 token endpoint. The root cause is missing checks that could allow issuing new tokens if the OAuth2 client was partly compromised. Public disclosures reference CVE-2018-3761, with vendor advisori...
CVE-2026-45810
Summary: CVE-2026-45810 affects Nextcloud Server, where a missing relation check allows authenticated users with access to any file comment to read the content of all comments. Affected versions are 31.0.0–31.0.11 and 32.0.0–32.0.2; fixed in 31.0.12 and 32.0.3. Enterprise Server upgrades are prov...
CVE-2019-15619
CVE-2019-15619 affects Nextcloud Suite components: Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3, and Nextcloud Deck 0.6.5. The root cause is improper neutralization of file names, conversation names and board names, leading to cross-site scripting when linking these items within a project. Docum...
CVE-2024-52521
The CVE records a vulnerability in Nextcloud Server where MD5 hashes were used to check background jobs for uniqueness, allowing a background job with specific arguments to be falsely identified as already existing and not queued. Technical details in connected documents confirm the root cause (M...
CVE-2025-66512
Nextcloud Server and Server Enterprise before 31.0.12 and 32.0.3 have a missing sanitization that can be exploited to bypass content security policy when a user is tricked into viewing a crafted SVG outside the Nextcloud UI, enabling cross-site scripting. Fedora advisories FEDORA-2025-86c0829159 ...
CVE-2019-15618
CVE-2019-15618 affects Nextcloud Server Updater up to at least 15.0.5, where missing HTML escaping in the Updater allows a reflected XSS when started from a malicious location. The vulnerability is a client-side reflection (no server-state compromise described) that can lead to execution of arbit...
CVE-2023-28643
CVE-2023-28643 affects Nextcloud Server. When two shares with the same name are sent to the same recipient while a memory cache is enabled, the second share can overwrite the first instead of being renamed to “{name} (2)”. This is documented across multiple sources in the connected set and is mit...
CVE-2024-37314
CVE-2024-37314 concerns Nextcloud Photos enabling removal of photos from a registered user’s album. The entry notes remediation by upgrading Nextcloud Server to 25.0.7 or 26.0.2 and Nextcloud Enterprise Server to 25.0.7 or 26.0.2. Connected documents show multiple related Nextcloud vulnerabilitie...
CVE-2017-0887
CVE-2017-0887 affects Nextcloud Server before 9.0.55 and before 10.0.2, where an authenticated user can bypass quota limits due to improper sanitization of the OC-Total-Length HTTP header, allowing exceedance of configured quotas. The issue is documented across multiple sources (NVD/CNVD/OSV/Open...
CVE-2017-0892
Affected software: Nextcloud Server (
CVE-2017-0936
CVE-2017-0936 affects Nextcloud Server prior to 11.0.7 and 12.0.5, where an Authorization Bypass Through User-Controlled Key vulnerability exists due to a missing ownership check. This allows logged-in users to change the scope of app passwords for other users. The app passwords themselves are no...
CVE-2018-16467
CVE-2018-16467 (Nextcloud Server before 14.0.0) is an improper access‑control vulnerability enabling unauthenticated attackers to bypass password protection for previews of single-file shares via the vulnerable publicpreview.php endpoint. The issue can disclose previews (notably image files) with...
CVE-2023-25161
CVE-2023-25161 affects Nextcloud Server (and Enterprise Server) with missing rate limiting on the password reset function prior to versions 25.0.1, 24.0.8, and 23.0.12. The root issue is lack of rate limiting, which can cause service slowdown, storage overflow, or cost impact when external email ...
CVE-2018-3762
CVE-2018-3762 affects Nextcloud Server prior to 12.0.8 and 13.0.3, where improper checks of dropped permissions for incoming shares let a user request previews for files they should not access. Root cause: inadequate enforcement of access control on image preview requests. Impact stated in source...
CVE-2022-31014
CVE-2022-31014 affects Nextcloud Server; SMTP command injection via iCalendar attachments through newline handling. Affected versions are Nextcloud Server up to 22.2.7/8, 23.x up to 23.0.5, and 24.x up to 24.0.1 (per sources). The root cause is insufficient sanitization of newline characters in S...
CVE-2023-28834
Summary of CVE-2023-28834 (Nextcloud Server information disclosure) Affected: Nextcloud Server 24.0.0–24.0.6, 25.0.0–25.0.4; Nextcloud Enterprise Server 23.0.0–23.0.11, 24.0.0–24.0.6, 25.0.0–25.0.4. Root cause: An API endpoint allowed a user to obtain the full data directory path of the Nextcloud...
CVE-2016-9467
CVE-2016-9467 involves content spoofing in the files app of Nextcloud Server and ownCloud Server. Affected versions: Nextcloud Server < 9.0.54 and 10.0.1; ownCloud Server
CVE-2017-0894
Nextcloud Server prior to 11.0.3 is affected by CVE-2017-0894 due to a logical error that discloses valid share tokens for public calendars, potentially letting an attacker access publicly shared calendars without the token. Affected product: Nextcloud Server; vulnerable component: calendar share...