Vulnerability Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 31.0.0, < 31.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-rPatchVendor Advisory
- https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3dPatch
- https://github.com/nextcloud/server/issues/51247Issue Tracking
- https://github.com/nextcloud/server/pull/51288Issue Tracking
- https://hackerone.com/reports/3040887Permissions RequiredVendor Advisory
FAQ
What is CVE-2025-66547?
CVE-2025-66547 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bul...
How severe is CVE-2025-66547?
CVE-2025-66547 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66547?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.