nextcloud mail Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of nextcloud mail's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical0

High3

Medium5

Low7

2 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of nextcloud mail's CVEs are currently listed in CISA's KEV catalog.

Public exploits

2 of nextcloud mail's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every nextcloud mail version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

nighly-201708318 CVEs
nightly-201612028 CVEs
nightly-201612088 CVEs
nightly-201612188 CVEs
nightly-201701178 CVEs
nightly-201706128 CVEs
nightly-201708238 CVEs
nightly-201708318 CVEs
nightly-201709068 CVEs
nightly-201709138 CVEs
nightly-201711278 CVEs
nightly-201712128 CVEs
nightly-201804108 CVEs
nightly-202001158 CVEs
untagged-bd8a3cab1eb0022ec6838 CVEs
v0.1.08 CVEs
v0.1.38 CVEs
v0.10.08 CVEs
v0.10.0-beta18 CVEs
v0.10.0-rc18 CVEs
v0.11.08 CVEs
v0.11.0-beta18 CVEs
v0.12.08 CVEs
v0.12.0-alpha-48 CVEs
v0.12.0-alpha-58 CVEs
v0.12.0-alpha18 CVEs
v0.12.0-alpha28 CVEs
v0.12.0-alpha38 CVEs
v0.12.0-beta18 CVEs
v0.12.0-beta28 CVEs
v0.12.0-beta38 CVEs
v0.12.0-beta48 CVEs
v0.12.0-beta58 CVEs
v0.12.0-RC18 CVEs
v0.12.0-RC28 CVEs
v0.12.0-RC38 CVEs
v0.13.08 CVEs
v0.14.08 CVEs
v0.15.08 CVEs
v0.15.18 CVEs
v0.15.28 CVEs
v0.15.38 CVEs
v0.15.48 CVEs
v0.15.58 CVEs
v0.16.08 CVEs
v0.17.08 CVEs
v0.18.08 CVEs
v0.18.0-RC18 CVEs
v0.18.18 CVEs
v0.19.08 CVEs
v0.19.18 CVEs
v0.2.08 CVEs
v0.20.08 CVEs
v0.20.18 CVEs
v0.20.28 CVEs
v0.20.38 CVEs
v0.21.08 CVEs
v0.21.18 CVEs
v0.3.08 CVEs
v0.4.08 CVEs
v0.4.18 CVEs
v0.4.28 CVEs
v0.4.38 CVEs
v0.4.48 CVEs
v0.5.08 CVEs
v0.5.18 CVEs
v0.5.28 CVEs
v0.6.28 CVEs
v0.7.08 CVEs
v0.7.18 CVEs
v0.7.108 CVEs
v0.7.28 CVEs
v0.7.38 CVEs
v0.7.48 CVEs
v0.7.58 CVEs
v0.7.68 CVEs
v0.7.78 CVEs
v0.7.88 CVEs
v0.7.98 CVEs
v0.8.08 CVEs
v0.8.0-alpha18 CVEs
v0.8.0-beta18 CVEs
v0.8.18 CVEs
v0.8.28 CVEs
v0.8.2-alpha28 CVEs
v0.8.2-alpha38 CVEs
v0.8.38 CVEs
v0.8.3-alpha18 CVEs
v0.9.08 CVEs
v0.9.0-beta18 CVEs
v0.9.0-beta28 CVEs
v0.9.0-beta38 CVEs
v0.9.0-rc18 CVEs
v1.0.08 CVEs
v1.1.08 CVEs
v1.1.18 CVEs
v1.1.28 CVEs
v1.9.08 CVEs
1.6.27 CVEs
nightly-202004237 CVEs
nightly-202004277 CVEs
nightly-202005067 CVEs
nightly-202005137 CVEs
v1.3.07 CVEs
v1.3.0-beta17 CVEs
v1.3.0-beta27 CVEs
v1.3.0-beta37 CVEs
v1.3.0-RC17 CVEs
v1.3.17 CVEs
v1.3.27 CVEs
v1.3.37 CVEs
v1.4.0-beta17 CVEs
v1.4.0-beta27 CVEs
v1.4.0-rc17 CVEs
v1.5.07 CVEs
v1.5.0-alpha37 CVEs
v1.5.0-beta17 CVEs
v1.5.0-beta27 CVEs
v1.5.0-beta37 CVEs
v1.5.0-rc17 CVEs
v1.5.0-rc27 CVEs
v1.6.07 CVEs
v1.7.07 CVEs
v1.8.07 CVEs
v1.9.0-alpha27 CVEs
v1.9.0-alpha37 CVEs
1.10.0-alpha.76 CVEs
v1.10.0-alpha.46 CVEs
v1.10.0-alpha.66 CVEs
v1.10.0-alpha.76 CVEs
v1.10.0-RC.16 CVEs
v1.11.05 CVEs
v1.11.0-rc15 CVEs
v1.12.0-rc.15 CVEs
v1.13.0-beta13 CVEs
v1.13.0-beta33 CVEs
v1.14.0-alpha43 CVEs
v1.14.0-beta13 CVEs
v2.2.03 CVEs
v2.2.13 CVEs
v1.12.02 CVEs
v1.12.0-rc.22 CVEs
v1.12.0-rc32 CVEs
v1.12.1-rc.12 CVEs
v1.14.02 CVEs
v1.14.0-beta22 CVEs
v1.14.0-beta32 CVEs
v1.14.0-rc.12 CVEs
v1.14.0-rc.22 CVEs
v1.14.12 CVEs
v1.14.22 CVEs
v1.14.32 CVEs
v1.14.3.alpha.12 CVEs
v1.14.42 CVEs
v1.14.52 CVEs
v1.9.12 CVEs
v1.9.22 CVEs
v1.9.32 CVEs
v1.9.42 CVEs
v2.2.22 CVEs
v2.2.32 CVEs
v2.2.42 CVEs
v3.7.02 CVEs
v3.7.12 CVEs
v1.1.31 CVE
v1.10.01 CVE
v1.10.0-RC.21 CVE
v1.10.11 CVE
v1.10.21 CVE
v1.10.31 CVE
v1.12.11 CVE
v1.13.01 CVE
v1.13.11 CVE
v1.13.21 CVE
v1.13.31 CVE
v1.13.41 CVE
v1.13.4-rc.11 CVE
v1.13.51 CVE
v1.15.01 CVE
v1.15.11 CVE
v1.15.21 CVE
v1.15.31 CVE
v1.9.51 CVE
v2.0.0-beta.51 CVE
v2.0.0-beta.61 CVE
v2.0.0-beta.71 CVE
v2.0.0-beta11 CVE
v2.0.0-beta31 CVE
v2.0.0-beta41 CVE
v2.0.0-RC11 CVE
v2.1.0-rc11 CVE
v2.2.51 CVE
v2.2.61 CVE
v2.2.71 CVE
v2.2.81 CVE
v2.2.91 CVE
v3.6.01 CVE
v3.6.11 CVE
v3.7.21 CVE
v3.7.31 CVE
v3.7.41 CVE
v3.7.51 CVE
v3.7.61 CVE
v5.2.0-beta.11 CVE
v5.5.01 CVE
v5.5.0-rc.11 CVE
v5.5.0-rc.21 CVE
v5.5.11 CVE
v5.5.21 CVE

Fixed in

2.2.22 CVEs
2.2.82 CVEs
3.3.02 CVEs
806f64a349f75b1ecd7871ea7aea4a11ed8157742 CVEs
90f9720bb3a5bb7d92c7dc12e45cd1752b3c22ed2 CVEs
1.1.41 CVE
1.10.41 CVE
1.11.81 CVE
1.12.11 CVE
1.12.81 CVE
1.12.91 CVE
1.13.61 CVE
1.14.51 CVE
1.14.6

Find a version

17 CVEs

Sort

Nextcloud Mail stored HTML injection in subject text
CVE-2025-66514
Patch
CWE-79
Low · CVSS 3.5
EPSS 0.0% (4th pct)2025-12-05
Low vulnerability · 2024-11-15
CVE-2024-52509
Patch
CWE-284
Low · CVSS 3.5
EPSS 0.3% (55th pct)2024-11-15
High vulnerability · 2024-11-15
CVE-2024-52508
Patch
CWE-200
High · CVSS 8.2
EPSS 0.3% (53th pct)2024-11-15
Low vulnerability · 2023-11-21
CVE-2023-48307
Patch
CWE-918
Low · CVSS 3.5
EPSS 0.2% (40th pct)2023-11-21
Require strict cookies for image proxy requests in Nextcloud Mail
CVE-2023-45660
Patch
CWE-918
Medium · CVSS 4.3
EPSS 0.1% (32th pct)2023-10-16
Blind SSRF in the Nextcloud Mail app on avatar endpoint
CVE-2023-33184
Patch
CWE-918
Low · CVSS 3.5
EPSS 0.1% (35th pct)2023-05-27
Medium vulnerability · 2023-02-13
CVE-2023-25160
Patch
CWE-639
Medium · CVSS 4.1
EPSS 0.3% (57th pct)2023-02-13
Medium vulnerability · 2023-02-06
CVE-2023-23943
Public exploit
Patch
CWE-918
Medium · CVSS 5.0
EPSS 0.8% (74th pct)2023-02-06
Low vulnerability · 2023-02-06
CVE-2023-23944
Patch
CWE-312
Low · CVSS 2.0
EPSS 0.2% (42th pct)2023-02-06
Low vulnerability · 2022-08-04
CVE-2022-31119
Patch
CWE-532
Low · CVSS 3.1
EPSS 0.4% (60th pct)2022-08-04
High vulnerability · 2022-08-04
CVE-2022-31132
Patch
CWE-918
High · CVSS 8.3
EPSS 0.4% (62th pct)2022-08-04
Medium vulnerability · 2022-07-06
CVE-2022-31131
Public exploit
Patch
CWE-287
Medium · CVSS 5.4
EPSS 0.2% (36th pct)2022-07-06
Low vulnerability · 2021-10-25
CVE-2021-39220
Patch
CWE-20
Low · CVSS 3.5
EPSS 0.3% (50th pct)2021-10-25
Medium vulnerability · 2021-07-12
CVE-2021-32707
Patch
CWE-20
Medium · CVSS 4.3
EPSS 0.3% (56th pct)2021-07-12
Vulnerability · 2021-06-11
CVE-2021-22896
Patch
CWE-862
Unscored
EPSS 0.4% (62th pct)2021-06-11
High vulnerability · 2021-06-01
CVE-2021-32652
Patch
CWE-284
High · CVSS 8.8
EPSS 0.5% (64th pct)2021-06-01
Vulnerability · 2020-05-12
CVE-2020-8156
Patch
CWE-295
Unscored
EPSS 0.5% (68th pct)2020-05-12

Severity and exploitation

nextcloud mail Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Fixed in

Common weakness types

Disclosure activity by year

Other nextcloud products

Frequently asked questions

How many CVEs does nextcloud mail have?

How many nextcloud mail CVEs are in CISA KEV?

Are there public exploits for nextcloud mail vulnerabilities?

Which versions of nextcloud mail are affected?

What are the most common weakness types in nextcloud mail CVEs?

What is the average severity of nextcloud mail CVEs?

References

Track nextcloud mail vulnerabilities