Low Published: Dec 05, 2025

CVE-2025-66514

3.5 CVSS SCORE

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

CVSS Vector Details

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity Low

Availability None

Weaknesses (CWE)

CWE-79

References & External Links

https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09
https://github.com/nextcloud/mail/pull/11740
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5
https://hackerone.com/reports/3357036

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

← Back to CVE Tracker