Vulnerability Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 31.0.0, < 31.0.12 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qcw2-pPatchVendor Advisory
- https://github.com/nextcloud/viewer/commit/5044a27d61bc40c0f134298d36af91f865335Patch
- https://github.com/nextcloud/viewer/pull/3023Issue Tracking
- https://hackerone.com/reports/3357808Issue TrackingVendor Advisory
FAQ
What is CVE-2025-66512?
CVE-2025-66512 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content...
How severe is CVE-2025-66512?
CVE-2025-66512 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66512?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.