Medium Published: Dec 05, 2025

CVE-2025-66550

5.7 CVSS SCORE

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

CVSS Vector Details

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity High

Availability None

Weaknesses (CWE)

CWE-241

References & External Links

https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769
https://github.com/nextcloud/calendar/pull/6971
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv
https://hackerone.com/reports/3112033

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

← Back to CVE Tracker