📦 Nextcloud Server

This vulnerability in Nextcloud server allows non-admin users to create workflows that should be restricted to administrators. Since some workflows can execute scripts on the server, this can lead to ...

Nextcloud servers with image previews enabled are vulnerable to server-side request forgery (SSRF), file disclosure, or potential remote code execution when processing malicious image files. This affe...

This vulnerability allows attackers to bypass Nextcloud's brute-force protection by using IPv6 addresses, which weren't included in rate-limiting calculations. Attackers can perform unlimited authenti...

This vulnerability allows attackers to bypass two-factor authentication (2FA) in Nextcloud Server after successfully obtaining valid user credentials. It affects self-hosted Nextcloud instances where ...

This vulnerability in Nextcloud Server allows a malicious user to update any personal or global external storage configuration, making those storage locations inaccessible to all other users. It affec...

This vulnerability in Nextcloud Server allows a malicious authenticated user to delete any personal or global external storage configuration, making those storage locations inaccessible to all users. ...

This vulnerability allows attackers to brute-force password reset links in NextCloud Server and NextCloud Enterprise Server, potentially enabling unauthorized account access. Affected users include al...

This vulnerability allows a malicious Nextcloud server to modify or delete VCards in the system addressbook on a trusted partner server. It affects Nextcloud Server and Enterprise Server installations...

This vulnerability in Nextcloud Server allows attackers to bypass rate limiting protections by sending parallel requests, enabling brute-force attacks on protected details like passwords or tokens. It...

This vulnerability allows attackers to brute-force user credentials on Nextcloud servers via WebDAV endpoints when basic authentication is used and the username is not an email address. It affects Nex...

This CVE describes a session handling vulnerability in Nextcloud Server where logout doesn't properly destroy sessions if cookies aren't manually cleared. An attacker who authenticates with any accoun...

This vulnerability in Nextcloud Server allows account takeover when usernames are reused. When a user account is deleted, their WebAuthn authentication tokens remain active. If a new user later regist...

This vulnerability in Nextcloud Server allows application-specific authentication tokens to escalate their own permissions. Tokens configured with no filesystem access can grant themselves full filesy...

Nextcloud Server 30.0.0 contains an Insecure Direct Object Reference (IDOR) vulnerability in the /core/preview endpoint. Authenticated users can access previews of other users' files by manipulating t...

This vulnerability allows non-privileged Nextcloud users to modify tags on files they shouldn't have access to through bulk tagging operations. It affects Nextcloud Server and Enterprise Server instal...

This vulnerability in Nextcloud Server causes the admin_audit app to fail to log actions on files and folders within groupfolders due to incorrect path handling. It affects Nextcloud Server and Enterp...

This vulnerability allows malicious users to bypass Nextcloud's Content Security Policy (CSP) by tricking users into viewing specially crafted SVG files outside the Nextcloud web interface. This affec...

This vulnerability in Nextcloud Server allows authenticated users to retrieve personal data (emails, names, identifiers) of other users through the contacts search feature without proper access contro...

This Nextcloud vulnerability allows users who receive shared folders containing blocked files to copy the intermediate folder structure, potentially bypassing file access controls. It affects Nextclou...

This vulnerability in Nextcloud Server allows attackers to trick the link reference provider into downloading larger websites than intended when processing HEAD requests to find open-graph data. This ...

This vulnerability in Nextcloud Server exposes fixed credentials for external storage configurations through the API and frontend. An attacker with an active user session can read these credentials in...

This vulnerability in Nextcloud Server exposes global credentials in plain text through the API response when an attacker has access to an active user session. It allows unauthorized reading of sensit...

This vulnerability in Nextcloud Server allows a malicious user to upload a manipulated SVG file that references other file paths. If the referenced file exists, the SVG preview will display that other...