Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-66557

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.

Published

2025-12-05T18:15:58.977

Last Modified

2025-12-09T16:46:17.283

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-284
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	deck	< 1.14.6	Yes
Application	nextcloud	deck	< 1.15.2	Yes

References

https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae Patch ([email protected])
https://github.com/nextcloud/deck/pull/7131 Issue Tracking, Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv Patch, Vendor Advisory ([email protected])
https://hackerone.com/reports/3247499 Issue Tracking, Vendor Advisory ([email protected])