CVSS: 2.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-47794 – Nextcloud Server vulnerable to insecure temporary file creation, race with write access and permission
https://notcve.org/view.php?id=CVE-2025-47794
16 May 2025 — Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink attack. Nextcloud Server versions 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1 fix t... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q568-2933-gcjq • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-47793 – Nextcloud Server and Groupfolders app vulnerable to bypass of group folder quota limit using attachment in text file
https://notcve.org/view.php?id=CVE-2025-47793
16 May 2025 — Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the absence of quota checking on attachments allowed logged-in users to upload files exceeding the group folder quota. Nextcloud Server versions 30.0.2 and 29.0.9, N... • https://github.com/nextcloud/groupfolders/pull/3328 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-47790 – Nextcloud Server doesn't request second factor after session timeout
https://notcve.org/view.php?id=CVE-2025-47790
16 May 2025 — Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second factor and th... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9h3w-f3h4-qqrh • CWE-287: Improper Authentication •
CVSS: 4.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52514 – Nextcloud Server allows users to copy folder that contain files that are blocked by the files access control
https://notcve.org/view.php?id=CVE-2024-52514
15 Nov 2024 — Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.1... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-52515 – Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews
https://notcve.org/view.php?id=CVE-2024-52515
15 Nov 2024 — Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5m5g-hw8c-2236 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37887 – Nextcloud Server's events information leaked with shared calendars on recurrence exceptions
https://notcve.org/view.php?id=CVE-2024-37887
14 Jun 2024 — Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1. Nextcloud Server es un sistema de nube personal autohospedado. Los participantes pueden leer las excepciones de recurrencia de los eventos privados del calendario compartido. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37884 – Nextcloud Server's users can delete old versions of read-only shared files
https://notcve.org/view.php?id=CVE-2024-37884
14 Jun 2024 — Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un usuario malintencionado pudo enviar solicitudes de eliminación de versiones antiguas de archivos ... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37315 – Nextcloud Server's read-only users can restore old versions
https://notcve.org/view.php?id=CVE-2024-37315
14 Jun 2024 — Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un atacante con acceso de solo lectura a un archivo puede... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942 • CWE-284: Improper Access Control •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37313 – Nextcloud server allows the by-pass the second factor
https://notcve.org/view.php?id=CVE-2024-37313
14 Jun 2024 — Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4. El servidor Nextcloud es un sistema de nube personal autohospedado. En algunas circunstancias, fue posible omiti... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c • CWE-287: Improper Authentication •