nextcloud security-advisories Vulnerabilities: CVEs, CISA KEV & Security Advisories

Severity and exploitation

How the CVSS severity of nextcloud security-advisories's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical3

High31

Medium134

Low90

2 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

None of nextcloud security-advisories's CVEs are currently listed in CISA's KEV catalog.

Public exploits

28 of nextcloud security-advisories's CVEs have a known public exploit available.

Affected versions and CVEs

Browse every nextcloud security-advisories version named in a CVE, then pick one to see only the CVEs that affect it.

Specific versions

< 19.0.1311 CVEs
>= 20.0.0, < 20.0.1111 CVEs
>= 21.0.0, < 21.0.311 CVEs
>= 27.0.0, < 27.0.17 CVEs
>= 25.0.0, < 25.0.46 CVEs
>= 25.0.0, < 25.0.96 CVEs
>= 26.0.0, < 26.0.46 CVEs
>= 32.0.0, < 32.0.96 CVEs
>= 33.0.0, < 33.0.36 CVEs
< 19.0.115 CVEs
>= 20.0.0, < 20.0.105 CVEs
>= 21.0.0, < 21.0.25 CVEs
>= 21.0.0, < 21.0.45 CVEs
>= 25.0.0, < 25.0.115 CVEs
>= 26.0.0, < 26.0.65 CVEs
>= 27.0.0, < 27.1.05 CVEs
< 20.0.124 CVEs
< 24.0.104 CVEs
>= 24.0.0, < 24.0.12.54 CVEs
>= 24.0.0, < 24.0.54 CVEs
>= 28.0.0, < 28.0.124 CVEs
>= 29.0.0, < 29.0.94 CVEs
>= 30.0.0, < 30.0.24 CVEs
Nextcloud Server >= 25.0.0, < 25.0.74 CVEs
Nextcloud Server >= 26.0.0, < 26.0.24 CVEs
< 20.0.143 CVEs
< 21.0.83 CVEs
< 22.2.03 CVEs
< 22.2.103 CVEs
>= 21.0.0, < 21.0.53 CVEs
>= 21.0.0, < 21.0.63 CVEs
>= 21.0.0, < 21.0.9.133 CVEs
>= 22.0.0, < 22.1.03 CVEs
>= 22.0.0, < 22.2.10.143 CVEs
>= 23.0.0, < 23.0.12.93 CVEs
>= 24.0.0, < 24.0.33 CVEs
>= 24.0.0, < 24.0.83 CVEs
>= 25.0.0, < 25.0.133 CVEs
>= 26.0.0, < 26.0.133 CVEs
>= 26.0.0, < 26.0.83 CVEs
>= 27.0.0, < 27.1.33 CVEs
>= 27.0.0, < 27.1.83 CVEs
>= 28.0.0, < 28.0.103 CVEs
>= 28.0.0, < 28.0.43 CVEs
>= 29.0.0, < 29.0.73 CVEs
< 1.2.92 CVEs
< 20.0.132 CVEs
< 22.2.42 CVEs
< 22.2.72 CVEs
< 23.0.12 CVEs
< 23.0.122 CVEs
< 3.8.42 CVEs
= 25.0.02 CVEs
>= 1.15.0, < 1.15.42 CVEs
>= 1.7.0, < 1.7.32 CVEs
>= 1.8.0, < 1.8.22 CVEs
>= 2.4.0, < 2.4.12 CVEs
>= 2.5.0, < 2.5.12 CVEs
>= 20.0.0, < 20.0.14.152 CVEs
>= 22.0.0, < 22.2.10.132 CVEs
>= 22.0.0, < 22.2.10.162 CVEs
>= 22.2.0, < 22.2.12 CVEs
>= 23.0.0, < 23.0.12.112 CVEs
>= 23.0.0, < 23.0.12.132 CVEs
>= 23.0.0, < 23.0.12.82 CVEs
>= 23.0.0, < 23.0.42 CVEs
>= 23.0.0, < 23.0.72 CVEs
>= 23.0.0, < 23.0.92 CVEs
>= 24.0.0, < 24.0.102 CVEs
>= 24.0.0, < 24.0.112 CVEs
>= 24.0.0, < 24.0.12.72 CVEs
>= 24.0.0, < 24.0.12.92 CVEs
>= 25.0.0, < 25.0.12 CVEs
>= 25.0.0, < 25.0.13.42 CVEs
>= 25.0.0, < 25.0.52 CVEs
>= 25.0.0, < 25.0.82 CVEs
>= 26.0.0, < 26.0.32 CVEs
>= 26.0.0, < 26.0.92 CVEs
>= 27.0.0, < 27.1.102 CVEs
>= 27.0.0, < 27.1.42 CVEs
>= 28.0.0, < 28.0.112 CVEs
>= 29.0.0, < 29.0.82 CVEs
>= 3.0.0, < 3.0.12 CVEs
>= 30.0.0, < 30.0.12 CVEs
>= 32.0.0beta1, < 32.0.12 CVEs
>= 33.0.0, < 33.0.12 CVEs
>= 4.0.0, < 4.2.12 CVEs
>= 7.0.0, < 7.0.22 CVEs
< 1.12.71 CVE
< 0.19.11 CVE
< 0.19.151 CVE
< 0.8.61 CVE
< 0.8.71 CVE
< 0.8.91 CVE
< 1.11.81 CVE
< 1.12.21 CVE
< 1.12.81 CVE
< 1.14.61 CVE
< 1.15.01 CVE
< 1.15.31 CVE
< 1.2.111 CVE
< 1.3.11 CVE
< 1.4.21 CVE
< 1.4.31 CVE
< 1.4.81 CVE
< 10.0.71 CVE
< 11.2.01 CVE
< 11.3.41 CVE
< 12.2.21 CVE
< 12.2.81 CVE
< 13.0.01 CVE
< 13.0.81 CVE
< 14.0.111 CVE
< 2.2.51 CVE
< 20.0.14.41 CVE
< 20.1.81 CVE
< 21.1.101 CVE
< 22.0.111 CVE
< 22.2.10.51 CVE
< 22.2.61 CVE
< 22.2.81 CVE
< 22.2.91 CVE
< 23.0.101 CVE
< 23.0.111 CVE
< 23.0.21 CVE
< 23.0.31 CVE
< 23.0.71 CVE
< 23.0.81 CVE
< 23.0.91 CVE
< 24.0.71 CVE
< 24.0.91 CVE
< 3.021 CVE
< 3.5.51 CVE
< 3.8.31 CVE
< 3.8.6,1 CVE
< 3.8.71 CVE
< 31.0.101 CVE
< 31.0.121 CVE
< 31.0.91 CVE
< 4.2.31 CVE
< 4.2.61 CVE
< 4.7.171 CVE
< 5.5.41 CVE
< 6.3.21 CVE
< 9.0.101 CVE
= 1.6.01 CVE
= 7.0.01 CVE
>= 0.20.0, < 0.20.101 CVE
>= 0.20.0, < 0.20.111 CVE
>= 0.21.0, < 0.21.31 CVE
>= 0.21.0, < 0.21.41 CVE
>= 0.3.0, < 3.1.01 CVE
>= 0.7.0, < 0.7.61 CVE
>= 0.7.0, < 0.7.71 CVE
>= 0.8.0, < 0.8.101 CVE
>= 0.8.0, < 0.8.81 CVE
>= 0.9.0-beta.1, < 0.9.31 CVE
>= 0.9.0-beta.1, < 0.9.41 CVE
>= 0.9.0-beta.1, < 0.9.61 CVE
>= 0.9.0, < 0.9.51 CVE
>= 0.9.0, < 0.9.71 CVE
>= 0.9.0, < 0.9.81 CVE
>= 1.0.0-beta.1, < 1.0.11 CVE
>= 1.0.0, < 1.0.21 CVE
>= 1.0.0, < 1.0.41 CVE
>= 1.1.0, < 1.4.11 CVE
>= 1.10.0, < 1.11.21 CVE
>= 1.10.0, < 1.11.31 CVE
>= 1.11.0, < 1.12.11 CVE
>= 1.12.0, < 1.12.91 CVE
>= 1.13.0, < 1.13.11 CVE
>= 1.13.0, < 1.13.61 CVE
>= 1.13.0, < 1.14.51 CVE
>= 1.13.0, < 2.2.81 CVE
>= 1.14.0-beta.1, < 1.14.41 CVE
>= 1.14.0, < 1.14.11 CVE
>= 1.15.0-beta.1, < 1.15.11 CVE
>= 1.15.0-beta.1, < 1.15.21 CVE
>= 1.16.0, < 1.16.31 CVE
>= 1.17.0, < 1.17.11 CVE
>= 1.18.0, < 1.18.11 CVE
>= 1.2.0, < 1.2.11 CVE
>= 1.3.0, < 1.4.11 CVE
>= 1.3.0, < 1.4.41 CVE
>= 1.4.0, < 1.4.51 CVE
>= 1.4.0, < 1.4.61 CVE
>= 1.5.0, < 1.5.11 CVE
>= 1.5.0, < 1.5.31 CVE
>= 1.5.0, < 1.5.41 CVE
>= 1.5.0, < 1.5.61 CVE
>= 1.5.5, < 1.8.21 CVE
>= 1.6.0, < 1.6.51 CVE
>= 1.6.0, < 1.6.61 CVE
>= 1.60, < 1.6.51 CVE
>= 1.7.0, < 1.7.51 CVE
>= 1.8.0, < 1.8.71 CVE
>= 1.9.0, < 1.14.61 CVE
>= 1.9.0, < 1.9.51 CVE
>= 1.9.0, < 1.9.61 CVE
>= 10.0.0, < 10.0.81 CVE
>= 10.1.0, < 10.1.41 CVE
>= 11.0.0, < 11.2.21 CVE
>= 11.1.0, < 11.1.21 CVE
>= 12.0.0.alpha-1, < 12.0.01 CVE
>= 12.2.0, < 12.2.71 CVE
>= 13.0.0, < 13.0.101 CVE
>= 13.0.0, < 13.0.71 CVE
>= 14.0.0, < 14.0.31 CVE
>= 14.0.0, < 14.0.41 CVE
>= 14.0.0, < 14.0.61 CVE
>= 14.0.0, < 14.0.91 CVE
>= 15.0.0-beta1, < 15.3.121 CVE
>= 15.0.0, < 15.0.41 CVE
>= 15.0.0, < 15.0.81 CVE
>= 16.0.0, < 16.0.111 CVE
>= 16.0.0, < 16.0.151 CVE
>= 16.0.0, < 16.0.61 CVE
>= 17.0.0-beta.1, < 17.0.141 CVE
>= 17.0.0, < 17.0.151 CVE
>= 17.0.0, < 17.0.51 CVE
>= 17.0.0, < 17.1.11 CVE
>= 18.0.0-beta.1, < 18.1.81 CVE
>= 18.0.0, < 18.0.31 CVE
>= 18.0.0, < 18.1.121 CVE
>= 19.0.0-alpha.1, < 19.1.81 CVE
>= 19.0.0, < 19.0.13.101 CVE
>= 19.0.0, < 19.1.161 CVE
>= 2.0.0-beta.1, < 2.4.11 CVE
>= 2.0.0, < 2.1.21 CVE
>= 2.0.0, < 2.2.11 CVE
>= 2.0.0, < 2.2.21 CVE
>= 2.0.0, < 2.2.81 CVE
>= 2.0.0, < 2.5.01 CVE
>= 2.1.0, < 2.2.111 CVE
>= 2.2.0, < 2.3.41 CVE
>= 2.4.0, < 2.4.51 CVE
>= 20.0.0, < 20.0.14.161 CVE
>= 20.0.0, < 20.1.111 CVE
>= 20.0.0, < 20.1.21 CVE
>= 21.0.0-beta.1, < 21.1.21 CVE
>= 22.0.0, < 22.0.11 CVE
>= 22.0.0, < 22.2.11 CVE
>= 22.0.0, < 22.2.10.151 CVE
>= 22.0.0, < 22.2.41 CVE
>= 23.0.0, < 23.0.11 CVE
>= 23.0.0, < 23.0.12.121 CVE
>= 23.0.0, < 23.0.12.61 CVE
>= 23.0.0, < 23.0.141 CVE
>= 23.0.0, < 23.0.31 CVE
>= 23.0.0, < 23.0.51 CVE
>= 23.0.0, < 23.0.61 CVE
>= 24.0.0, < 24.0.11 CVE
>= 24.0.0, < 24.0.12.41 CVE
>= 24.0.0, < 24.0.12.81 CVE
>= 24.0.0, < 24.0.21 CVE
>= 24.0.0, < 24.0.41 CVE
>= 24.0.0, < 24.0.71 CVE
>= 24.0.4, < 24.0.12.51 CVE
>= 24.0.4, < 24.0.71 CVE
>= 24.0.4, < 24.0.81 CVE
>= 25.0.0, < 25.0.21 CVE
>= 25.0.0, < 25.0.31 CVE
>= 25.0.1, < 25.0.71 CVE
>= 25.0.2, < 25.0.61 CVE
>= 26.0.0, < 26.0.11 CVE
>= 26.0.0, < 26.0.121 CVE
>= 26.0.0, < 26.0.13.131 CVE
>= 26.0.0, < 26.0.13.151 CVE
>= 26.0.0, < 26.0.21 CVE
>= 27.0.0, < 27.1.11.131 CVE
>= 27.0.0, < 27.1.11.151 CVE
>= 27.0.0, < 27.1.71 CVE
>= 27.0.0, < 27.1.91 CVE
>= 27.0.0, < 28.0.61 CVE
>= 27.0.0, < 29.0.11 CVE
>= 28.0.0, < 28.0.131 CVE
>= 28.0.0, < 28.0.14.41 CVE
>= 28.0.0, < 28.0.14.61 CVE
>= 28.0.0, < 28.0.31 CVE
>= 28.0.0, < 28.0.51 CVE
>= 28.0.0, < 28.0.61 CVE
>= 28.0.0, < 28.0.91 CVE
>= 29.0.0, < 29.0.11 CVE
>= 29.0.0, < 29.0.101 CVE
>= 29.0.0, < 29.0.131 CVE
>= 29.0.0, < 29.0.151 CVE
>= 29.0.0, < 29.0.51 CVE
>= 3.0.0-beta1, < 4.7.191 CVE
>= 3.0.0, < 3.3.01 CVE
>= 3.0.0, < 3.8.01 CVE
>= 3.0.5, < 4.8.01 CVE
>= 3.1.0, < 3.3.01 CVE
>= 3.1.0, < 3.6.31 CVE
>= 3.13.0, < 3.25.01 CVE
>= 3.6.0, < 3.6.21 CVE
>= 3.7.0, < 3.7.21 CVE
>= 3.7.0, < 3.7.71 CVE
>= 30.0.0, < 30.0.31 CVE
>= 30.0.0, < 30.0.71 CVE
>= 30.0.0, < 30.0.91 CVE
>= 31.0.0, < 31.0.11 CVE
>= 31.0.0, < 31.0.121 CVE
>= 31.0.0, < 31.0.141 CVE
>= 31.0.0, < 31.0.31 CVE
>= 32.0.0, < 32.0.21 CVE
>= 32.0.0, < 32.0.31 CVE
>= 32.0.0, < 32.0.41 CVE
>= 32.0.0, < 32.0.71 CVE
>= 32.0.0beta1, < 32.0.31 CVE
>= 4.0.0, < 4.2.01 CVE
>= 4.0.0, < 4.2.31 CVE
>= 4.0.0, < 4.2.91 CVE
>= 4.1.0, < 4.2.41 CVE
>= 4.3.0, < 4.6.81 CVE
>= 4.7.0, < 4.7.21 CVE
>= 5.0.0-rc.1, < 5.2.41 CVE
>= 5.0.0-rc.1, < 5.5.61 CVE
>= 5.0.0, < 5.0.101 CVE
>= 5.0.0, < 5.0.31 CVE
>= 5.0.0, < 5.0.41 CVE
>= 5.0.0, < 5.1.01 CVE
>= 5.0.0, < 5.1.51 CVE
>= 5.2.0, < 5.2.51 CVE
>= 5.5.13, < 5.5.171 CVE
>= 6.0.0-alpha1, < 6.0.61 CVE
>= 6.0.0-rc.1, < 6.0.11 CVE
>= 6.0.0, < 6.0.11 CVE
>= 6.0.0, < 6.3.11 CVE
>= 6.0.0, < 6.3.21 CVE
>= 6.0.0, < 6.4.01 CVE
>= 6.2.0, < 6.2.31 CVE
>= 7.0.0-alpha.1, < 7.2.51 CVE
>=2.2.0, < 2.2.101 CVE
20.0.131 CVE
Nextcloud Server >= 24.0.0, < 24.0.101 CVE
Nextcloud Server >= 25.0.0, < 25.0.41 CVE
Nextcloud Server: < 24.0.111 CVE
Nextcloud Server: >= 25.0.0, < 25.0.51 CVE

Find a version

260 CVEs

Sort

Nextcloud: Propfind requests for file comments allowed to load comments for other files
CVE-2026-45810CWE-639
Medium · CVSS 6.8
EPSS 0.0% (8th pct)2026-06-01
Nextcloud: Tables app allows limited SQLi in ORDER BY with malicious sort order argument for Table Views
CVE-2026-45722CWE-89
High · CVSS 7.1
EPSS 0.0% (8th pct)2026-06-01
Nextcloud: Bypass of second factor authentication on DAV endpoints
CVE-2026-45691CWE-287
Medium · CVSS 5.9
EPSS 0.1% (17th pct)2026-06-01
Nextcloud: Two-Factor Authentication Bypass via Pending Session Token Replay
CVE-2026-45690CWE-287
Medium · CVSS 5.9
EPSS 0.1% (20th pct)2026-06-01
Nextcloud: SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution
CVE-2026-45545CWE-89
High · CVSS 8.2
EPSS 0.0% (9th pct)2026-06-01
Nextcloud: Information Disclosure of view filter metdata via Broken Sensitive Data Masking in ViewService
CVE-2026-45544CWE-1230
Medium · CVSS 4.3
EPSS 0.0% (7th pct)2026-06-01
Nextcloud: Deleting a Forms collaborator share leaves uploaded response files accessible through a lingering Files share
CVE-2026-45543CWE-552
Medium · CVSS 5.3
EPSS 0.0% (9th pct)2026-06-01
Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint
CVE-2026-45286CWE-200
Medium · CVSS 4.3
EPSS 0.0% (9th pct)2026-06-01
Nextcloud: Wrong condition in the User OIDC app's LdapService allowed deleted LDAP users to authenticate
CVE-2026-45284CWE-284
Medium · CVSS 4.6
EPSS 0.0% (12th pct)2026-06-01
Nextcloud: Hidden Public Link creation when sharing to a Team External Member
CVE-2026-45285CWE-862
Medium · CVSS 6.4
EPSS 0.0% (11th pct)2026-06-01
Nextcloud: Files Lock app allows users to lock and unlock files of other users
CVE-2026-45283CWE-287
Medium · CVSS 6.3
EPSS 0.0% (7th pct)2026-06-01
Nextcloud: Logged-in user bypasses share password and download restrictions on Text attachments via documentId leads to unauthorized file access
CVE-2026-45282CWE-284
Medium · CVSS 6.5
EPSS 0.0% (8th pct)2026-06-01
Nextcloud: Cross-Account Calendar Takeover via Unauthorized Group-Member-Set Update
CVE-2026-45281CWE-639
High · CVSS 8.1
EPSS 0.0% (8th pct)2026-06-01
Nextcloud: Limited path traversal via template API if using `{lang}` in config
CVE-2026-45279CWE-22
Medium · CVSS 4.4
EPSS 0.0% (12th pct)2026-06-01
Nextcloud: Open Redirect in user_oidc login flow via protocol-relative URL bypass
CVE-2026-45278CWE-601
Low · CVSS 3.3
EPSS 0.0% (7th pct)2026-06-01
Nextcloud: Information disclosure in Nextcloud Approval app via fileId parameter reveals workflow associations
CVE-2026-45277CWE-200
Low · CVSS 3.3
EPSS 0.0% (1th pct)2026-06-01
Nextcloud: Authorization bypass in approval feature allows unauthorized file sharing with approvers
CVE-2026-45275CWE-285
Medium · CVSS 6.5
EPSS 0.0% (8th pct)2026-06-01
Nextcloud: Missing permission check for from submissions
CVE-2026-45267CWE-862
Medium · CVSS 6.5
EPSS 0.0% (6th pct)2026-06-01
Nextcloud: Unauthorized force-mute from missing permission check when using internal signaling
CVE-2026-45266CWE-284
Low · CVSS 3.5
EPSS 0.0% (7th pct)2026-06-01
Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
CVE-2026-45159CWE-639
Low · CVSS 3.5
EPSS 0.0% (7th pct)2026-06-01
Nextcloud: Valid share tokens allow to access tempory upload files of share owner
CVE-2026-45157CWE-284
Medium · CVSS 6.3
EPSS 0.0% (8th pct)2026-06-01
Nextcloud: Authentication Bypass in ID4me handling via Missing JWT Signature Verification in User OIDC
CVE-2026-45156CWE-287
High · CVSS 8.1
EPSS 0.0% (9th pct)2026-06-01
Nextcloud: Private circle can be added to another circle via API
CVE-2026-45155CWE-639
Low · CVSS 2.6
EPSS 0.0% (7th pct)2026-06-01
Nextcloud: Improper Access Control in Collectives
CVE-2026-45154CWE-284
Low · CVSS 2.6
EPSS 0.0% (7th pct)2026-06-01
Nextcloud: PIN bypass in PassCodeActivity via back button
CVE-2026-45153CWE-287
Medium · CVSS 4.6
EPSS 0.0% (2th pct)2026-06-01
Nextcloud: ACL Rename Permission Bypass in Team Folders Allows Unauthorized File Renames
CVE-2026-45264CWE-284
Medium · CVSS 4.3
EPSS 0.0% (7th pct)2026-06-01
Nextcloud Twofactor WebAuthn app was updated based on public key
CVE-2025-66558
Patch
CWE-639
Low · CVSS 3.1
EPSS 0.0% (5th pct)2025-12-05
Nextcloud talk allows participants to blindly delete poll drafts of other users by ID
CVE-2025-66556
Patch
CWE-639
Low · CVSS 3.5
EPSS 0.0% (2th pct)2025-12-05
Nextcloud Contacts vulnerable to Stored XSS in contacts app via organisation and title field
CVE-2025-66554
Patch
CWE-79
Low · CVSS 3.5
EPSS 0.0% (4th pct)2025-12-05
Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory
CVE-2025-66549
Patch
CWE-209
Low · CVSS 2.4
EPSS 0.0% (10th pct)2025-12-05

Showing 30 of 260

Severity and exploitation

nextcloud security-advisories Vulnerabilities

Overview

Severity and exploitation

Affected versions and CVEs

Specific versions

Common weakness types

Disclosure activity by year

Other nextcloud products

Frequently asked questions

How many CVEs does nextcloud security-advisories have?

How many nextcloud security-advisories CVEs are in CISA KEV?

Are there public exploits for nextcloud security-advisories vulnerabilities?

Which versions of nextcloud security-advisories are affected?

What are the most common weakness types in nextcloud security-advisories CVEs?

How many critical nextcloud security-advisories vulnerabilities are there?

What is the average severity of nextcloud security-advisories CVEs?

References

Track nextcloud security-advisories vulnerabilities