CVE-2023-39957

CVE-2023-39957 affects Nextcloud Talk Android prior to 17.0.0, where an unprotected intent allowed malicious apps to trick Talk Android into writing files outside its intended cache directory (path traversal). A fix is available in version 17.0.0; no public workarounds are documented in the provi...

CVE-2021-41181

The CVE affects the Nextcloud Talk Android app prior to version 12.3.0. A flaw causes the app to fail to detect the device lockscreen state when an incoming call occurs, enabling an attacker with physical access to a locked phone to access chat messages and files. Affected component: Nextcloud An...

CVE-2021-41180

CVE-2021-41180 affects Nextcloud Talk: geolocation preview links can be set to arbitrary URLs due to insufficient validation, enabling an open-redirect scenario. Reported impact is limited to Android Talk clients, with the recommended mitigation being upgrading the Nextcloud Talk app to version 1...

CVE-2022-35932

CVE-2022-35932 describes a missing rate limit in Nextcloud Talk for password-protected conversations. Before versions 12.2.7, 13.0.7, and 14.0.3, an attacker with the conversation link/token can brute-force the password due to lack of rate limiting. Public sources (NVD/Red Hat/GSAs) confirm the i...

CVE-2022-24890

CVE-2022-24890 (Nextcloud Talk) affects Nextcloud Talk prior to versions 13.0.5 and 14.0.0, where a call moderator could indirectly enable a user's webcam by granting permissions that were removed. The underlying issue is exposure of webcam permissions that could be re-enabled without user consen...

CVE-2022-24887

CVE-2022-24887 – Open Redirect in Nextcloud Talk : The issue affects Nextcloud Talk prior to versions 11.3.4, 12.2.2, and 13.0.0. When sharing a Deck card in a conversation, the metaData can be manipulated to trick users into opening arbitrary URLs. The vulnerability is fixed in the cited patched...

CVE-2022-39212

Nextcloud Talk vulnerability CVE-2022-39212: in affected versions, the last video frame of a participant can be disclosed when the camera is selected but the video is disabled. This is a client-side issue in Nextcloud Talk (chat/video calls) that allows viewing the last frame of other participant...

CVE-2021-32676

Nextcloud Talk suffers a session fixation vulnerability: password-protected shared talks did not rotate the session cookie after authentication in versions prior to 9.0.10, 10.0.8 and 11.2.2. Exploitation could allow an attacker to hijack a guest session. Remediation is to upgrade the Nextcloud T...

CVE-2023-22473

CVE-2023-22473 affects the Nextcloud Talk Android app. The vulnerability is a passcode bypass that allows access to a user’s Nextcloud files and conversations when an attacker has physical access to the target device. The root cause is exposed by the described bypass in Talk Android, enabling exp...

CVE-2023-45149

CVE-2023-45149 affects Nextcloud Talk. Root cause: brute-force protection for public talk conversation passwords can be bypassed because the authentication endpoint validates the password without applying bruteforce protection. Affected: Nextcloud Talk versions prior to 15.0.8, 16.0.6, or 17.1.1....

CVE-2022-41926

CVE-2022-41926 concerns the Nextcloud Talk Android app. The receiver component is not protected by broadcastPermission in affected versions, enabling a malicious app to monitor communication locally. The issue is tied to Nextcloud Talk Android prior to 14.1.0. Remediation in all sources is to upg...

CVE-2020-8180

CVE-2020-8180 affects Nextcloud Talk versions 6.0.4, 7.0.2, and 8.0.7. A too-lax validation allows an administrator-added, not properly sanitized talk command to inject code. This can lead to arbitrary code execution when a crafted command is processed (for example, using talk commands to trigger...

CVE-2019-15619

CVE-2019-15619 affects Nextcloud Suite components: Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3, and Nextcloud Deck 0.6.5. The root cause is improper neutralization of file names, conversation names and board names, leading to cross-site scripting when linking these items within a project. Docum...

CVE-2023-28845

CVE-2023-28845 affects Nextcloud Talk (the video/audio conferencing app) and stems from improper filtering of access to a conversation’s member list. This could allow an attacker to retrieve information about members of a Talk conversation even if they are not a member themselves. Public disclosu...

CVE-2023-30540

CVE-2023-30540 affects Nextcloud Talk (Nextcloud extension). A user added later to a conversation could access data that had already been deleted before their addition, representing an information disclosure. The issue has been patched in Nextcloud Talk 15.0.5; upgrading to 15.0.5 is recommended....

CVE-2021-32689

Nextcloud Talk suffered a vulnerability in versions prior to 11.2.2 where a user could reuse an earlier username and gain access to chat messages sent to that previous user. The issue is described as allowing access to messages associated with the reused username, with patches released in Nextclo...

CVE-2019-15620

CVE-2019-15620 describes an improper access control vulnerability in Nextcloud Talk 6.0.3 where the existence and names of private conversations can be leaked when those conversations are linked to another shared item via the Projects feature. Affected component is Nextcloud Talk (Spreed) 6.0.3. ...

CVE-2018-3781

Nextcloud Talk

CVE-2021-39222

Nextcloud Talk is affected by a stored XSS vulnerability in the Talk component of Nextcloud. The issue can be triggered by right-clicking a malicious file and opening it in a new tab, but exploitation is mitigated on modern browsers due to Content-Security-Policy (CSP). Remediation is to upgrade ...

CVE-2025-66556

Nextcloud Talk contains a vulnerability in which a participant with chat permissions could delete poll drafts belonging to other participants by ID. Affected software is Nextcloud Talk prior to versions 20.1.8 and 21.1.2. The issue is addressed by upgrading to 20.1.8 or 21.1.2 or later. The conne...