Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-66510

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

Published

2025-12-05T17:16:04.613

Last Modified

2025-12-10T16:12:34.217

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-359

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 28.0.14.11	Yes
Application	nextcloud	nextcloud_server	< 29.0.16.8	Yes
Application	nextcloud	nextcloud_server	< 30.0.17.3	Yes
Application	nextcloud	nextcloud_server	< 31.0.10	Yes
Application	nextcloud	nextcloud_server	< 31.0.10	Yes
Application	nextcloud	nextcloud_server	< 32.0.1	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59 Patch, Vendor Advisory ([email protected])
https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57 Patch ([email protected])
https://github.com/nextcloud/server/pull/55657 Issue Tracking ([email protected])