Vulnerability Description
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Deck | < 1.12.7 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185Patch
- https://github.com/nextcloud/deck/pull/6671Issue Tracking
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xPatchVendor Advisory
- https://hackerone.com/reports/2326618Permissions RequiredVendor Advisory
FAQ
What is CVE-2025-66548?
CVE-2025-66548 is a vulnerability with a CVSS score of 3.3 (LOW). Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be s...
How severe is CVE-2025-66548?
CVE-2025-66548 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66548?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Deck.