Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-66514

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

Published

2025-12-05T18:15:57.457

Last Modified

2025-12-09T19:23:19.687

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

Weaknesses

Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	mail	< 5.5.3	Yes

References

https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09 Patch ([email protected])
https://github.com/nextcloud/mail/pull/11740 Issue Tracking, Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5 Patch, Vendor Advisory ([email protected])
https://hackerone.com/reports/3357036 Permissions Required, Vendor Advisory ([email protected])