Login Sign Up

CVE-2025-66514

3.5 LOW
Cross-Site Scripting

📋 TL;DR

This vulnerability allows authenticated Nextcloud Mail users to inject HTML into email subject lines displayed in the message list. While JavaScript execution is prevented by Nextcloud's Content Security Policy, HTML injection can still enable phishing attacks and UI manipulation. Only Nextcloud instances with the Mail app installed and using versions before 5.5.3 are affected.

💻 Affected Systems

Products:
  • Nextcloud Mail
Versions: All versions before 5.5.3
Operating Systems: All platforms running Nextcloud
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Nextcloud Mail app to be installed and enabled. The vulnerability is present in the default configuration.

📦 What is this software?

Mail by Nextcloud

View all CVEs affecting Mail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could craft malicious email subjects containing HTML that appears legitimate, potentially tricking users into clicking malicious links or revealing sensitive information through sophisticated phishing attacks.

🟠

Likely Case

Limited HTML injection in email subjects that could be used for minor UI manipulation or basic phishing attempts, but without JavaScript execution capabilities.

🟢

If Mitigated

With proper CSP and input validation, the impact is limited to visual manipulation of email subjects without code execution or data compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to a Nextcloud Mail account. The HTML injection is straightforward and doesn't require advanced technical skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.3

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5

Restart Required: No

Instructions:

1. Update Nextcloud Mail app to version 5.5.3 or later via Nextcloud App Store. 2. Navigate to Nextcloud admin panel. 3. Go to Apps section. 4. Find Mail app and click update. 5. No server restart required.

🔧 Temporary Workarounds

Disable Mail App

linux

Temporarily disable the Nextcloud Mail app until patching is possible

occ app:disable mail

🧯 If You Can't Patch

  • Restrict user permissions to minimize authenticated attack surface
  • Implement additional monitoring for unusual HTML content in email subjects

🔍 How to Verify

Check if Vulnerable:

Check Mail app version in Nextcloud admin panel under Apps section

Check Version:

occ app:list | grep mail

Verify Fix Applied:

Verify Mail app version is 5.5.3 or higher in Nextcloud admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML patterns in email subject lines
  • Multiple failed attempts to send emails with HTML in subjects

Network Indicators:

  • Unusual patterns in email synchronization traffic

SIEM Query:

source="nextcloud" AND (message="mail" OR message="email") AND (subject CONTAINS "<" OR subject CONTAINS ">")

📊 Metadata

CVE ID: CVE-2025-66514
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-79
EPSS Score: 0.02% exploit probability (4.8th percentile)
Published: December 5, 2025
Last Updated: December 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66514, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)