PT-2025-49267 · Nextcloud · Nextcloud Enterprise Server+1
Published
2025-12-05
·
Updated
2025-12-21
·
CVE-2025-66512
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 31.0.12
Nextcloud Server Enterprise versions prior to 31.0.12
Nextcloud Server versions prior to 32.0.3
Nextcloud Server Enterprise versions prior to 32.0.3
Description
Nextcloud Server and Server Enterprise contain a missing sanitization that can allow malicious users to circumvent the content security policy. This occurs when a malicious user tricks another user into viewing a maliciously uploaded SVG file outside of the Nextcloud Server’s web page.
Recommendations
Update Nextcloud Server to version 31.0.12 or later.
Update Nextcloud Server Enterprise to version 31.0.12 or later.
Update Nextcloud Server to version 32.0.3 or later.
Update Nextcloud Server Enterprise to version 32.0.3 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nextcloud Server
Nextcloud Enterprise Server