Medium Published: Dec 05, 2025

CVE-2025-66512

5.4 CVSS SCORE

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.

CVSS Vector Details

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity Low

Availability Low

Weaknesses (CWE)

CWE-80

References & External Links

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qcw2-p26m-9gc5
https://github.com/nextcloud/viewer/commit/5044a27d61bc40c0f134298d36af91f865335b63
https://github.com/nextcloud/viewer/pull/3023
https://hackerone.com/reports/3357808

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

← Back to CVE Tracker