189 matches found
CVE-2019-5449
CVE-2019-5449 affects Nextcloud Server prior to 15.0.1. A missing check allows leaking calendar event names when adding or modifying confidential or private events. Multiple connected sources confirm an information disclosure vulnerability in Nextcloud Server before 15.0.1. Impact is information ...
CVE-2017-0884
CVE-2017-0884 affects Nextcloud Server prior to versions 9.0.55 and 10.0.2 . A logical error in the file caching layer allows an authenticated attacker who has at least read-only permissions to create empty folders inside a shared folder, i.e., a creation of folders in read-only folders despite l...
CVE-2018-16463
CVE-2018-16463 describes a session-fixation bug in Nextcloud Server, affecting versions prior to 14.0.0, 13.0.3, and 12.0.8, which could allow an attacker to access password-protected shares. Core details provided indicate a vulnerability in Nextcloud Server’s session handling, with the public Ne...
CVE-2020-8236
Nextcloud Server 19.0.1 contains an improper authentication issue where a misconfiguration causes a passwordless WebAuthn PIN to be treated as two-factor authentication, but the PIN is not actually verified. This vulnerability could lead to users believing they have 2FA protection when the system...
CVE-2023-25816
CVE-2023-25816 – Nextcloud resource consumption : The issue affects Nextcloud Server 25.0.0 through versions before 25.0.3, where an extremely long password can cause uncontrolled resource usage during validation. This vulnerability is addressed by upgrading to 25.0.3, as stated in the advisory a...
CVE-2018-3776
CVE-2018-3776 affects Nextcloud Server; an improper input validator in affected versions prior to 12.0.3 and 11.0.5 could allow an attacker’s actions to bypass audit-logging. The vulnerability is documented across multiple sources (including Red Hat and OpenVAS feeds) and is described as a loggin...
CVE-2018-3780
CVE-2018-3780 detail (normal mode): Nextcloud’s autocomplete search results may expose a stored XSS due to missing sanitization in the autocomplete field. The flaw affects Nextcloud Server releases around 13.x (notably 13.0.5 and related updates) and can be triggered by crafted search results con...
CVE-2020-8150
CVE-2020-8150 relates to Nextcloud Server 19.0.1 and describes a cryptographic downgrade where an attacker can degrade the encryption scheme and break the integrity of encrypted files. Public docs indicate this vulnerability affects Nextcloud Server 19.0.1 and is discussed in the NC-SA-2020-039 a...
CVE-2020-8173
CVE-2020-8173 affects Nextcloud Server 18.0.4, where a too-small set of random characters used for encryption enables decryption in less time than intended. The vulnerability’s root cause is insufficient randomness in the encryption key/IV generation. Remediation per connected advisories is to up...
CVE-2016-7419
Affected software and scope: CVE-2016-7419 is an XSS vulnerability in the share.js file of the gallery application used by ownCloud Server < 9.0.4 and Nextcloud Server
CVE-2016-9466
CVE-2016-9466 is a reflected XSS in the Gallery application affecting Nextcloud Server before 10.0.1 and ownCloud Server before 9.0.6, with further versions 9.1.2 affected. The issue arises from the Gallery app not properly sanitizing exception messages generated by the Nextcloud/ownCloud server;...
CVE-2017-0886
CVE-2017-0886 affects Nextcloud Server. The vulnerability stems from an error in the application logic that allows an authenticated adversary to trigger an endless recursion, resulting in a Denial of Service. Impact is described as Denial of Service with potential for persistent unavailability. A...
CVE-2017-0890
Nextcloud Server vulnerability CVE-2017-0890 is a DOM-based XSS in the search dialogue caused by inadequate escaping. Affects Nextcloud Server versions prior to 11.0.3. Exploitation requires a user to input or paste malicious content into the search dialogue. The issue is confirmed through multip...
CVE-2018-16466
CVE-2018-16466 affects Nextcloud Server prior to 14.0.0, 13.0.6, and 12.0.11. The root cause is improper revalidation of permissions, which can cause access restrictions to be bypassed via access tokens. The issue is documented in NC-SA-2018-010 (vendor fix). Affected versions include Nextcloud S...
CVE-2020-8296
Summary of CVE-2020-8296 (Nextcloud Server) : Multiple sources describe Nextcloud Server versions prior to 20.0.0 as storing passwords in a recoverable format even when external storage is not configured. The issue is associated with Nextcloud Server
CVE-2017-0891
Nextcloud Server (before 9.0.58, 10.0.5, and 11.0.3) is vulnerable to an inadequate escaping of error messages that leads to Reflected Cross-Site Scripting in multiple components. The provided documents designate this as CVE-2017-0891 and describe XSS in error handling; exploitation details are n...
CVE-2019-5451
CVE-2019-5451 concerns the Nextcloud Android app prior to version 3.6.1, where bypassing the lock protection allowed access to files by repeatedly opening/closing the app in quick succession. The vulnerability affects the Android client’s ability to enforce device/user authentication for local fi...
CVE-2020-8223
CVE-2020-8223 affects Nextcloud Server 19.0.0 and is described as a logic error enabling privilege escalation by reshare with higher permissions than the attacker’s own. Fedora advisories show a fix in Nextcloud 19.0.3 (NC-SA-2020-029), and OpenVAS/NVD entries corroborate the CVE, but exploitatio...
CVE-2025-47791
The vulnerability CVE-2025-47791 affects Nextcloud Server (self-hosted) and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3. The issue is an improperly protected, currently unused endpoint used to verify a share recipient, which could proxy requests to another server. Affected v...
CVE-2025-47793
The CVE-2025-47793 issue affects Nextcloud Server and the Groupfolders app where, due to missing quota enforcement on attachments, logged-in users could upload files that exceed the group folder quota. Affected versions and fixes are: Nextcloud Server: before 30.0.2, 29.0.9, 28.0.1 Nextcloud Ente...
CVE-2016-9461
CVE-2016-9461 affects Nextcloud Server before 9.0.52 and ownCloud Server before 9.0.4. The vulnerability stems from improper verification of edit permissions on WebDAV COPY actions, where the WebDAV endpoint did not correctly check permissions during COPY. As a result, an authenticated attacker w...
CVE-2016-9462
Summary: CVE-2016-9462 affects Nextcloud Server before 9.0.52 and ownCloud Server before 9.0.4. The root cause is inadequate verification of restore privileges during file restoration, allowing a user with read-only access to revert to older versions. Affected components: Nextcloud Server (pre-9....
CVE-2016-9465
CVE-2016-9465 affects Nextcloud Server < 10.0.1 and ownCloud Server
CVE-2020-8133
Nextcloud Server 19.0.1 vulnerability (CVE-2020-8133) arises from incorrect passphrase generation for the encrypted block, enabling an attacker to silently overwrite blocks within a file. Public sources (Nextcloud advisory NC-SA-2020-038) describe MAC-based encryption weaknesses that can be explo...
CVE-2016-9468
CVE-2016-9468 affects Nextcloud Server before 9.0.54 and 10.0.1 and ownCloud Server before 9.0.6 and 9.1.2. The vulnerability is a content spoofing issue in the dav app caused by an exception message that included partially user‑controllable input, potentially leading to misrepresentation of info...
CVE-2018-16464
CVE-2018-16464 affects Nextcloud Server prior to 14.0.0. A missing access check could allow continued access to password-protected link shares after the owner changes the password, enabling unauthorized access to shared resources. Remediation: upgrade to Nextcloud Server 14.0.0 or apply vendor ad...
CVE-2018-16465
Nextcloud Server is affected when used with versions prior to 14.0.0. The issue is a missing state that would have enforced a second factor at login if the 2FA provider failed to load, effectively allowing a 2FA bypass under certain conditions. This vulnerability is described in advisories NC-SA-...
CVE-2025-47794
CVE-2025-47794 affects Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1, and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1. An attacker on a multi-user system may read temporary files from Nextcloud running under a different user account ...
CVE-2026-45281
CVE-2026-45281 affects Nextcloud Server versions 32.0.0–32.0.8 and 33.0.0–33.0.2. The issue stems from improper authorization in the calendar backend, requiring an authenticated attacker who knows another user’s principal URL. An authenticated user could potentially send a request to gain full ac...
CVE-2026-45279
Nextcloud Server versions 31.0.0–31.0.13 and 32.0.0–32.0.3 are affected when {lang} is used in the template directory config value. Non-admin users can in some cases copy arbitrary files into their own Nextcloud directory via a path traversal, depending on Unix permissions. Impact is described as...
CVE-2026-45285
Concretely affected software: Nextcloud server branches 32.x (32.0.0–32.0.8) and 33.x (33.0.0–33.0.2). The vulnerability arises when sharing with a Team that includes an external member; a public link is auto-created for that external member and is not shown in the share UI. The link grants the s...
CVE-2025-66547
Nextcloud Server (and Enterprise Server) prior to 31.0.1 contains a vulnerability where non-privileged users can modify tags on files they should not access via bulk tagging. Affected product: Nextcloud Server/Enterprise Server; vulnerable component: file tagging mechanism. Root cause details are...
CVE-2026-45282
This CVE affects Nextcloud Server versions 32.0.0–32.0.8 and 33.0.0–33.0.2, where an authenticated attacker can access attachments of link shares using a valid share token and a known documentId, bypassing password protection or download restrictions. The vulnerability enables access to attachmen...
CVE-2026-45690
Nextcloud Server versions 32.0.0–32.0.9 and 33.0.0–33.0.3 expose an authentication bypass where, after valid credentials are entered on a 2FA-enabled account, a temporary session token is created before the second factor is enforced. The token can be extracted and replayed via HTTP Basic Authenti...
CVE-2025-59788
Technical details about CVE-2025-59788 are not publicly available in the connected documents provided. The materials summarize Nextcloud XSS in a reachable files_pdfviewer directory and list affected versions, but no further technical specifics, root cause, impact, or remediation are included her...
CVE-2026-45283
In Nextcloud Server, the files_lock app is vulnerable in versions 32.0.0 to before 32.0.2 and 33.0.0 to before 33.0.1. The root cause is improper validation of file ownership when processing DAV lock and unlock requests, allowing an authenticated user to lock or unlock files belonging to other us...
CVE-2025-64011
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. An authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter, enabling unauthorized disclosure of sensitive data (text, ...
CVE-2025-66510
CVE-2025-66510 affects Nextcloud Server and Nextcloud Enterprise Server where the contact search feature can disclose personal data (emails, names, identifiers) of other users to authenticated users due to improper access control. Affected versions include Nextcloud Server prior to 31.0.10 and 32...
CVE-2025-66552
CVE-2025-66552 affects Nextcloud Server and Enterprise Server. The issue is due to incorrect path handling with groupfolders, causing the admin_audit app to fail to log all actions on files and folders inside groupfolders. The vulnerability is fixed in Nextcloud Server and Enterprise Server versi...