CVE-2025-59788

Name of the Vulnerable Software and Affected Versions Nextcloud versions prior to 22.2.10.33 Nextcloud versions prior to 23.0.12.29 Nextcloud versions prior to 24.0.12.28 Nextcloud versions prior to 25.0.13.23 Nextcloud versions prior to 26.0.13.20 Nextcloud versions prior to 27.1.11.20 Nextcloud versions prior to 28.0.14.11 Nextcloud versions prior to 29.0.16.8 Nextcloud versions prior to 30.0.17 Nextcloud versions prior to 31.0.10 Nextcloud versions prior to 32.0.1

Description A cross-site scripting (XSS) issue exists in the files pdfviewer example directory of Nextcloud. This allows attackers to execute arbitrary JavaScript code within a user's browser through a specially crafted PDF file when viewed using viewer.html. The root cause is the exposure of executable example code on a same-origin basis.

Recommendations Update Nextcloud to version 22.2.10.33 or later. Update Nextcloud to version 23.0.12.29 or later. Update Nextcloud to version 24.0.12.28 or later. Update Nextcloud to version 25.0.13.23 or later. Update Nextcloud to version 26.0.13.20 or later. Update Nextcloud to version 27.1.11.20 or later. Update Nextcloud to version 28.0.14.11 or later. Update Nextcloud to version 29.0.16.8 or later. Update Nextcloud to version 30.0.17 or later. Update Nextcloud to version 31.0.10 or later. Update Nextcloud to version 32.0.1 or later.