PT-2025-49294 · Nextcloud+1 · Nextcloud Mail+1

Published

2025-12-05

Updated

2026-02-09

CVE-2025-66514

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Mail versions prior to 5.5.3

Description A stored HTML injection issue exists in the Mail app's message list, potentially allowing an authenticated user to inject HTML into email subjects. The Nextcloud Server’s content security policy blocks Javascript, mitigating some of the risk.

Recommendations Update Nextcloud Mail to version 5.5.3 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2026-03581

CVE-2025-66514

GHSA-V394-8GPC-6FV5

Affected Products

Nextcloud Mail

Red Os

PT-2025-49294 · Nextcloud+1 · Nextcloud Mail+1

CVE-2025-66514

Weakness Enumeration

Related Identifiers

Affected Products

References · 14