Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

nextcloud — Vulnerabilities & Security Advisories 288

Browse all 288 CVE security advisories affecting nextcloud. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Nextcloud operates as an open-source file sharing and collaboration platform, providing self-hosted alternatives to commercial cloud services. With 261 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insecure default configurations within its PHP-based architecture. Notable incidents have involved unauthorized data access and server compromise, highlighting risks associated with complex plugin ecosystems and frequent updates. While the project maintains a public security policy and encourages responsible disclosure, the high volume of past CVEs indicates a need for rigorous code auditing and strict configuration management by administrators to mitigate potential exploitation vectors in production environments.

Top products by nextcloud: security-advisories Nextcloud Server com.nextcloud.client Nextcloud Calendar application Nextcloud Contacts application nextcloud/server nextcloud/talk nextcloud-dialogs news-android android cookbook nextcloudpi Nextcloud news
CVE IDTitleCVSSSeverityPublished
CVE-2026-45810 Nextcloud: Propfind requests for file comments allowed to load comments for other files — security-advisoriesCWE-639 6.8 Medium2026-06-01
CVE-2026-45722 Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views — security-advisoriesCWE-89 7.1 High2026-06-01
CVE-2026-45691 Nextcloud: Bypass of second factor authentication on DAV endpoints — security-advisoriesCWE-287 5.9 Medium2026-06-01
CVE-2026-45690 Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay — security-advisoriesCWE-287 5.9 Medium2026-06-01
CVE-2026-45545 Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution — security-advisoriesCWE-89 8.2 High2026-06-01
CVE-2026-45544 Nextcloud: Information Disclosure of view filter metdata via Broken Sensitive Data Masking in ViewService — security-advisoriesCWE-1230 4.3 Medium2026-06-01
CVE-2026-45543 Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share — security-advisoriesCWE-552 5.3 Medium2026-06-01
CVE-2026-45286 Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint — security-advisoriesCWE-200 4.3 Medium2026-06-01
CVE-2026-45284 Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate — security-advisoriesCWE-284 4.6 Medium2026-06-01
CVE-2026-45285 Nextcloud: Hidden Public Link creation when sharing to a Team External Member — security-advisoriesCWE-862 6.4 Medium2026-06-01
CVE-2026-45283 Nextcloud: Files Lock app allows users to lock and unlock files of other users — security-advisoriesCWE-287 6.3 Medium2026-06-01
CVE-2026-45282 Nextcloud: Logged-in user bypasses share password and download restrictions on Text attachments via documentId leads to unauthorized file access — security-advisoriesCWE-284 6.5 Medium2026-06-01
CVE-2026-45281 Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update — security-advisoriesCWE-639 8.1 High2026-06-01
CVE-2026-45279 Nextcloud: Limited path traversal via template API if using `{lang}` in config — security-advisoriesCWE-22 4.4 Medium2026-06-01
CVE-2026-45278 Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass — security-advisoriesCWE-601 3.3 Low2026-06-01
CVE-2026-45277 Nextcloud: Information disclosure in Nextcloud Approval app via fileId parameter reveals workflow associations — security-advisoriesCWE-200 3.3 Low2026-06-01
CVE-2026-45275 Nextcloud: Authorization bypass in approval feature allows unauthorized file sharing with approvers — security-advisoriesCWE-285 6.5 Medium2026-06-01
CVE-2026-45267 Nextcloud: Missing permission check for from submissions — security-advisoriesCWE-200 6.5 Medium2026-06-01
CVE-2026-45266 Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling — security-advisoriesCWE-284 3.5 Low2026-06-01
CVE-2026-45159 Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner — security-advisoriesCWE-639 3.5 Low2026-06-01
CVE-2026-45157 Nextcloud: Valid share tokens allow to access tempory upload files of share owner — security-advisoriesCWE-284 6.3 Medium2026-06-01
CVE-2026-45156 Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC — security-advisoriesCWE-287 8.1 High2026-06-01
CVE-2026-45155 Nextcloud: Private circle can be added to another circle via API — security-advisoriesCWE-639 2.6 Low2026-06-01
CVE-2026-45154 Nextcloud: Improper Access Control in Collectives — security-advisoriesCWE-284 2.6 Low2026-06-01
CVE-2026-45153 Nextcloud: PIN bypass in PassCodeActivity via back button — security-advisoriesCWE-287 4.6 Medium2026-06-01
CVE-2026-45264 Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames — security-advisoriesCWE-284 4.3 Medium2026-06-01
CVE-2026-44515 Nextcloud News: Authenticated blind SSRF via feed URL — newsCWE-918--2026-05-14
CVE-2025-66558 Nextcloud Twofactor WebAuthn app was updated based on public key — security-advisoriesCWE-639 3.1 Low2025-12-05
CVE-2025-66556 Nextcloud talk allows participants to blindly delete poll drafts of other users by ID — security-advisoriesCWE-639 3.5 Low2025-12-05
CVE-2025-66554 Nextcloud Contacts vulnerable to Stored XSS in contacts app via organisation and title field — security-advisoriesCWE-79 3.5 Low2025-12-05

This page lists every published CVE security advisory associated with nextcloud. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.