| Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId) |
Improper Access Control - Generic |
msatz |
Medium |
2026-05-21 |
| SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution |
SQL Injection |
suul |
High |
2026-05-15 |
| Private circle can be added to another circle via API despite visibility restriction |
Insecure Direct Object Reference (IDOR) |
vidang04 |
Low |
2026-05-08 |
| Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner |
Insecure Direct Object Reference (IDOR) |
0x0doteth |
Low |
2026-05-08 |
| View-only guests could see deleted Collectives pages in the trashbin |
Improper Access Control - Generic |
yoyomiski |
Low |
2026-05-08 |
| Improper input validation On Exported deep-link handler crashes `FileDisplayActivity` on crafted external URL — Denial-of-Service |
Improper Null Termination |
khoof |
None |
2026-05-01 |
| SVG filter primitives bypass remote image blocking, enabling email tracking without consent. |
Privacy Violation |
nullcathedral |
Medium |
2026-04-20 |
| position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays. |
Resource Injection |
nullcathedral |
Medium |
2026-04-20 |
| Unquoted body background attribute enables CSS injection that bypasses remote image blocking |
Resource Injection |
nullcathedral |
Medium |
2026-04-20 |
| SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent |
Remote File Inclusion |
nullcathedral |
Medium |
2026-04-20 |
| Stored XSS in attachment-display exploitable through SameSite |
Cross-site Scripting (XSS) - Stored |
aikido_security |
Medium |
2026-04-19 |
| BOLA/IDOR in Out-of-Office API allows any authenticated user to read other users' absence data |
Insecure Direct Object Reference (IDOR) |
cyberjoker |
Medium |
2026-04-14 |
| Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute) |
Insufficiently Protected Credentials |
py0zz1 |
Medium |
2026-04-13 |
| IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos |
Insecure Direct Object Reference (IDOR) |
shiva2550 |
No rating |
2026-04-07 |
| Unauthenticated SSRF via Public Reference API -Sharing Token Bypass |
None supplied |
eclipse07077 |
No rating |
2026-03-31 |
| Mail stored HTML injection in subject text |
None supplied |
se1en |
Medium |
2026-02-12 |
| WebAuthn app was updated based on public key |
Insecure Direct Object Reference (IDOR) |
se1en |
Low |
2026-02-06 |
| Easy way to create a new Deck board without permission |
Improper Access Control - Generic |
hakuna |
No rating |
2026-01-16 |
| Can download files on Android app without permission |
Improper Access Control - Generic |
hakuna |
Low |
2026-01-16 |
| Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes |
Information Disclosure |
somerandomdev |
Medium |
2026-01-14 |
| Predictable proposal participant tokens enable unauthorized access and vote submission |
Use of Insufficiently Random Values |
loremipsumi |
Low |
2026-01-04 |
| Users can modify tags on files that do not belong to them |
Improper Access Control - Generic |
rolandsch |
Medium |
2026-01-04 |
| Deck app allows to spoof file extensions by using RTLO characters |
None supplied |
jayateerthag |
Medium |
2026-01-04 |
| Information disclosure via Desktop client when attempting to lock a file inside a end-to-end encrypted directory |
Information Disclosure |
nilsding |
None |
2026-01-04 |
| Stored XSS in contacts app via organisation and title field |
Cross-site Scripting (XSS) - Stored |
updatelap |
Low |
2026-01-04 |
| tabnabbing in roundcube webmail |
None supplied |
waloodi109 |
No rating |
2025-12-24 |
| [nextcloud/mail] Blind SSRF to Internal Network via "List-Unsubscribe" SMTP Header when allow_local_remote_servers is allowed |
Server-Side Request Forgery (SSRF) |
lauritz |
Medium |
2025-12-23 |
| Calendar app allowed booking appointments without the generated token |
Insecure Direct Object Reference (IDOR) |
daroo |
Low |
2025-12-05 |
| Approval app allows users to request approval for other users file |
Improper Authentication - Generic |
0x0doteth |
Medium |
2025-12-05 |
| Stored XSS Vulnerability via SVG File |
Cross-site Scripting (XSS) - Stored |
aptroom |
Medium |
2025-12-05 |
| admin_audit does not log actions on files in a group folder |
Insufficient Logging |
klipz |
Medium |
2025-12-05 |
| Deck app allowed user with "Can share" permission to modify permissions of other non-owners |
Improper Access Control - Generic |
daroo |
Medium |
2025-12-05 |
| Calendar attachments of local files are offered to downloaded |
Improper Handling of Unexpected Data Type |
daroo |
Medium |
2025-12-05 |
| Missing ownership check in Tables app allows moving columns into tables of other users |
Insecure Direct Object Reference (IDOR) |
daroo |
Medium |
2025-12-05 |
| Tables app allowed users to view columns metadata information of any table |
Insecure Direct Object Reference (IDOR) |
daroo |
Medium |
2025-12-05 |
| Participants were able to blindly delete poll drafts of other users by ID |
Insecure Direct Object Reference (IDOR) |
daroo |
Medium |
2025-12-05 |
| Nextcloud Tables v1 Share Enumeration Without Authorization (Regression of CVE-2024-52507) |
Improper Authentication - Generic |
0x0doteth |
Low |
2025-12-05 |
| Path Traversal Vulnerability in Nextcloud Tables Enables Arbitrary File Exfiltration of Any Files Supported by PhpSpreadsheet Library |
Path Traversal |
daroo |
Medium |
2025-10-16 |
| Directory Listing of publicly available assets |
Information Exposure Through Directory Listing |
farhad0x1 |
Medium |
2025-09-29 |
| Email not verified when changing afterwards on apps.nextcloud.com |
Violation of Secure Design Principles |
farhad0x1 |
Low |
2025-09-29 |
| Exposing debug.log file leads to server full path disclosure |
Business Logic Errors |
farhad0x1 |
Medium |
2025-09-29 |
| Sensitive Information Disclosure via Back Button Post Logout on https://apps.nextcloud.com/account/ |
None supplied |
vulnerability_is_here |
Low |
2025-03-16 |
| Possible to enumerate valid files in password protected shares/files drop shares as well as spam folder with files |
Information Disclosure |
lukasreschke |
Low |
2025-02-21 |
| Blind SSRF Vulnerability in Appstore Release Upload Form |
Improper Access Control - Generic |
odaysec |
Low |
2025-01-14 |
| X-E2EE-SIGNATURE verification can be bypassed, leading to loss of confidentiality of end-to-end encrypted files |
Improper Certificate Validation |
d-xuan |
Medium |
2024-12-15 |
| Incomplete sanitization in SVG preview provider |
Information Disclosure |
pulsejet |
Medium |
2024-12-15 |
| Nextcloud mail does not respect download permissions in shares |
Improper Access Control - Generic |
rullzer |
Low |
2024-12-15 |
| Invisible Salamanders Attack against end_to_end_encryption in Nextcloud |
Use of a Broken or Risky Cryptographic Algorithm |
pseudo-llrktbeyk |
Medium |
2024-12-03 |
| External storage - global credentials returned to the client side in plaintext |
Information Disclosure |
tuyenee |
Medium |
2024-11-21 |
| Share information of Tables app is not limited to affected users |
Insecure Direct Object Reference (IDOR) |
cx75fa |
Low |
2024-11-18 |
| Nextcloud Tables app - inserting rows to an arbitrary table possible |
None supplied |
tuyenee |
Medium |
2024-11-17 |
| User can copy locked folders and gain access to the contents |
Improper Access Control - Generic |
maccs |
Medium |
2024-11-16 |
| Open redirect when logging in with user_oidc |
Open Redirect |
kesselb |
No rating |
2024-11-15 |
| Attachments folder for Text app is accessible on Files Drop/Password protected shares |
Information Disclosure |
lukasreschke |
Low |
2024-11-15 |
| Mail auto configurator can be tricked into sending account information to wrong servers |
Information Disclosure |
shushangw |
High |
2024-11-15 |
| ID4ME does not validate signature or expiration |
Improper Verification of Cryptographic Signature |
mikaelgundersen |
Medium |
2024-07-14 |
| Re-emergence of Security Vulnerability in Nextcloud Version 28 Previously Fixed in 25.0.4 |
Improper Access Control - Generic |
flood78 |
Medium |
2024-07-14 |
| Can reshare read&share only folder with more permissions |
Improper Access Control - Generic |
fernandoenzo |
High |
2024-07-14 |
| Event create can create attachments that link to other websites |
Open Redirect |
simcard |
Medium |
2024-07-14 |
| Missing permission check when removing a photo from an album |
Improper Access Control - Generic |
juliushaertl |
Low |
2024-07-14 |
| Ability to by-pass second factor |
Improper Authentication - Generic |
everysinglusernametaken |
Medium |
2024-07-14 |
| Notes app can be tricked into using a received share created before the user logged in |
Business Logic Errors |
maholli |
Medium |
2024-06-19 |
| see card comments after remove shared board |
Improper Access Control - Generic |
mohs3n |
Medium |
2024-06-18 |
| Events information leaked with shared calendars on recurrence exceptions |
Information Disclosure |
section1 |
Low |
2024-06-14 |
| Read-only users can restore old versions |
Improper Access Control - Generic |
7h3b4dg3r |
Medium |
2024-06-14 |
| Code injection in Nextcloud Desktop Client for macOS |
Code Injection |
lourcode |
No rating |
2024-06-14 |
| ID4me feature of OpenID connect app available even when disabled |
Improper Access Control - Generic |
lukasreschke |
Medium |
2024-05-30 |
| Weak ssh algorithms and CVE-2023-48795 Discovered on various subdomains of nextcloud.com |
Use of a Broken or Risky Cryptographic Algorithm |
axosolaman |
Medium |
2024-05-22 |
| OAuth2 "authorization_code" is valid indefinetly |
Violation of Secure Design Principles |
mikaelgundersen |
Low |
2024-02-17 |
| Can download files by zipping the folder |
Improper Access Control - Generic |
nickvergessen |
Medium |
2024-02-17 |
| xmlrpc.php &wp-cron.php files are enabled, and will used for (DDOS),(DOS) and broutforce users attack. |
XML External Entities (XXE) |
cyber-tech |
No rating |
2024-02-08 |
| Authentication bypass in Global Site Selector allows an attacker to log in as any user |
None supplied |
ryotak |
Critical |
2024-01-18 |
| Improper handling of request URLs in nextcloud/guests allows guest users to bypass app allowlist |
Improper Handling of URL Encoding (Hex Encoding) |
ryotak |
Medium |
2024-01-18 |
| Non-admin users can reset app allowlist to the default |
Business Logic Errors |
ryotak |
Medium |
2024-01-18 |
| Open redirect in user_saml via RelayState parameter |
Open Redirect |
ryotak |
Low |
2024-01-18 |
| Self XSS when sending HTML as a comment in the Deck app |
Cross-site Scripting (XSS) - Generic |
hackit_bharat |
None |
2024-01-18 |
| Bruteforce protection in password verification can be bypassed |
Improper Restriction of Authentication Attempts |
taise |
Medium |
2024-01-17 |
| Bypass password confirmation via Context-dependent access control (CDCA) |
Improper Access Control - Generic |
st0nzy |
Medium |
2024-01-17 |
| Error when editing a calendar appointment returns stacktrace and query |
Information Disclosure |
st0nzy |
Medium |
2024-01-17 |
| Blind SSRF in Mail App |
Server-Side Request Forgery (SSRF) |
maholli |
Low |
2024-01-10 |
| DNS pin middleware can be tricked into DNS rebinding allowing SSRF |
Server-Side Request Forgery (SSRF) |
retr02332 |
Medium |
2024-01-01 |
| RCE on Wordpress website |
Deserialization of Untrusted Data |
lukasreschke |
Critical |
2023-12-28 |
| Self XSS when pasting HTML into Text app with Ctrl+Shift+V |
Cross-site Scripting (XSS) - DOM |
max_nextcloud |
Medium |
2023-12-21 |
| Admins can change authentication details of user configured external storage |
Improper Access Control - Generic |
st0nzy |
Low |
2023-12-21 |
| App PIN code can be bypassed in Files iOS |
Improper Authentication - Generic |
spell1 |
Low |
2023-12-18 |
| Enabling Birthday Contact to any user |
Insecure Direct Object Reference (IDOR) |
nvz |
Medium |
2023-11-21 |
| user_ldap app logs user passwords in the log file on level debug |
Cleartext Storage of Sensitive Information |
alacn1 |
Medium |
2023-11-21 |
| Delete external storage of any user |
Improper Access Control - Generic |
cx75fa |
High |
2023-11-21 |
| HTML injection in search UI when selecting a circle with HTML in the display name |
Cross-site Scripting (XSS) - Stored |
cx75fa |
Low |
2023-11-21 |
| OAuth2 client_secret stored in plain text in the database |
Cleartext Storage in a File or on Disk |
rullzer |
Medium |
2023-11-15 |
| Password of talk conversations can be bruteforced |
Improper Restriction of Authentication Attempts |
nickvergessen |
Medium |
2023-11-12 |
| Memcached used as RateLimiter backend is no-op |
Improper Restriction of Authentication Attempts |
nickvergessen |
Medium |
2023-11-12 |
| Responsive Server-side Request Forgery (SSRF) |
Server-Side Request Forgery (SSRF) |
bhmth |
Medium |
2023-10-19 |
| Inviting excessive long email addresses to a calendar event makes the server unresponsive |
Uncontrolled Resource Consumption |
shuvam321 |
Medium |
2023-10-16 |
| Existance of calendars and addressbooks can be checked by unauthenticated users |
Improper Access Control - Generic |
themarkib0x0 |
Low |
2023-09-26 |
| No Rate Limit On Forgot Password on https://apps.nextcloud.com |
Improper Authentication - Generic |
cyber_world_01 |
No rating |
2023-09-26 |
| Nextcloud All-In-One path disclosure of internal frontend |
Information Disclosure |
shuvam321 |
None |
2023-09-26 |
| Dos in Form Submission at https://nextcloud.com/instant-trial/ |
Uncontrolled Resource Consumption |
krrish_hackk |
Medium |
2023-09-26 |
| Permissions not respected when copying entire group folders |
Improper Access Control - Generic |
carl_schwan |
Medium |
2023-09-09 |
| Text does not respect 'Allow download' permissions |
Improper Access Control - Generic |
rullzer |
Low |
2023-08-23 |
| Issuer not verified from obtained token in user_oidc |
None supplied |
rullzer |
Medium |
2023-08-23 |
| App stores client secret unencrypted in database |
Missing Encryption of Sensitive Data |
rullzer |
Low |
2023-08-23 |
| Path traversal allows tricking the Talk Android app into writing files into it's root directory |
Path Traversal |
fr4via |
Medium |
2023-08-14 |
| Improper restriction of excessive authentication attempts on WebDAV endpoint |
Improper Restriction of Authentication Attempts |
unknownsh |
Medium |
2023-08-10 |
| New AppPassword can be generated without password confirmation |
Improper Access Control - Generic |
mikaelgundersen |
High |
2023-08-10 |
| Missing brute force protection on OAuth2 API controller |
Improper Restriction of Authentication Attempts |
mikaelgundersen |
Medium |
2023-08-10 |
| Notes attachments render HTML in preview mode |
Cross-site Scripting (XSS) - Reflected |
incident-response |
Low |
2023-08-10 |
| Any (non-admin) user from an instance can destroy any (user and/or global) external filesystem |
Improper Access Control - Generic |
cult |
Medium |
2023-08-10 |
| Password reset endpoint is not brute force protected |
Improper Restriction of Authentication Attempts |
rullzer |
High |
2023-07-21 |
| Brute force protection allows to send more requests than intended |
Improper Restriction of Authentication Attempts |
polapain1337 |
Medium |
2023-07-13 |
| User scoped external storage can be used to gather credentials of other users |
Business Logic Errors |
bhmth |
High |
2023-06-27 |
| Contacts only sanitizes PHOTO svg if mime type is all lower case |
Cross-site Scripting (XSS) - Generic |
christophwurst |
None |
2023-06-24 |
| user_oidc app is missing bruteforce protection |
Improper Restriction of Authentication Attempts |
nickvergessen |
Medium |
2023-06-23 |
| End-to-end encrypted file-drops can be made inaccessible |
Improper Access Control - Generic |
rullzer |
High |
2023-06-22 |
| Open redirect on "Unsupported browser" warning |
Open Redirect |
akshayravic09yc47 |
Medium |
2023-06-22 |
| Error in Booking an appointment reveals the full path of the website |
Improper Access Control - Generic |
themarkib0x0 |
Low |
2023-06-18 |
| Basic auth header on WebDAV requests is not bruteforce protected |
Improper Restriction of Authentication Attempts |
hackit_bharat |
High |
2023-06-02 |
| Blind SSRF as normal user from mailapp |
Server-Side Request Forgery (SSRF) |
unknownsh |
Low |
2023-05-30 |
| Users can set up workflows using restricted and invisible system tags |
Improper Access Control - Generic |
maxime_le-hericy |
Medium |
2023-05-17 |
| No rate limit while adding Additional emails feature |
None supplied |
cryptographer |
Low |
2023-05-16 |
| Reflected XSS vulnerability with full CSP bypass in Nextcloud installations using recommended bundle |
Cross-site Scripting (XSS) - Reflected |
lukasreschke |
Medium |
2023-05-15 |
| App pin of the Android app can be bypassed via 3rdparty apps generating deep links |
Improper Authentication - Generic |
meinereiner |
Low |
2023-05-04 |
| Potential directory traversal in OC\Files\Node\Folder::getFullPath |
Path Traversal: 'dir\..\..\filename' |
nickvergessen |
Medium |
2023-05-04 |
| Document content of files can be obtained through Collabora for files of other users |
Improper Access Control - Generic |
juliushaertl |
Medium |
2023-05-04 |
| Hide download previews are accessible without a watermark |
Improper Access Control - Generic |
juliushaertl |
Low |
2023-05-04 |
| Reference fetch can saturate the server bandwidth for 10 seconds |
Uncontrolled Resource Consumption |
brthnc |
Medium |
2023-04-29 |
| Name collision of shared folders |
Use of Incorrectly-Resolved Name or Reference |
aslfv |
Medium |
2023-04-29 |
| Desktop client does not verify received singed certificate in end to end encryption |
Improper Certificate Validation |
mikaelgundersen |
Medium |
2023-04-27 |
| Missing brute force protection for passwords of password protected share links |
Improper Restriction of Authentication Attempts |
hackit_bharat |
Low |
2023-04-25 |
| Ability to read any emails through IDOR on Nextcloud Mail |
Insecure Direct Object Reference (IDOR) |
ctulhu |
Medium |
2023-04-12 |
| Full Passcode bypass on Nextcloud App iOS |
Improper Access Control - Generic |
ctulhu |
Low |
2023-04-10 |
| Ability to control the filename when uploading a logo or favicon on theming |
Violation of Secure Design Principles |
ctulhu |
Low |
2023-04-10 |
| Website PHP source code returned in javascript |
None supplied |
mdfarhanchowdhuryhasin |
Medium |
2023-04-10 |
| CSRF protection on OIDC login is broken |
Cross-Site Request Forgery (CSRF) |
mikaelgundersen |
Medium |
2023-04-04 |
| Twitter Account hijack @nextcloudfrance |
None supplied |
devokta |
Medium |
2023-03-30 |
| the complete server installation path is visible in cloud/user endpoint |
Improper Removal of Sensitive Information Before Storage or Transfer |
bohwaz |
Low |
2023-03-30 |
| Insecure randomness for default password in file sharing when password policy app is disabled |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
gorei |
Low |
2023-03-30 |
| Secure view trivial to bypass |
Improper Access Control - Generic |
rullzer |
Medium |
2023-03-30 |
| Lack of bruteforce protection for TOTP 2FA |
Improper Restriction of Authentication Attempts |
bncrypted |
Medium |
2023-03-26 |
| Arbitrary read of all SVG files on a Nextcloud server |
Path Traversal |
bncrypted |
High |
2023-03-26 |
| Cards in Deck are readable by any user |
Information Disclosure |
shakierbellows |
Medium |
2023-03-26 |
| Chat room member disclosure via autocomplete API |
Improper Access Control - Generic |
lukasreschke |
Medium |
2023-03-25 |
| Missing brute force protection on password confirmation modal |
Improper Restriction of Authentication Attempts |
hackit_bharat |
Medium |
2023-03-21 |
| Mail app stores cleartext password in database until OAUTH2 setup is done |
Plaintext Storage of a Password |
christophwurst |
Low |
2023-03-08 |
| Missing rate limiting on password reset functionality allows to send lot of emails |
Improper Access Control - Generic |
primebeast |
Low |
2023-03-05 |
| Targeted phishing attacks in Login flow v2 |
Phishing |
rtod |
Medium |
2023-03-03 |
| Messages can still be seen on conversation after expiring when cron is misconfigured |
Privacy Violation |
ctulhu |
Low |
2023-02-27 |
| Download permissions can be changed by resharer |
Improper Access Control - Generic |
rullzer |
Medium |
2023-02-24 |
| Desktop client can be tricked into opening/executing local files when clicking a nc://open/ link |
Code Injection |
lukasreschke |
Medium |
2023-02-10 |
| SSRF via filter bypass due to lax checking on IPs |
Server-Side Request Forgery (SSRF) |
obitorasu |
Medium |
2023-02-10 |
| No password length restriction in reset password endpoint |
Uncontrolled Resource Consumption |
aditya404 |
Low |
2023-02-09 |
| Vulnerable moment-timezone version shipped |
Cleartext Transmission of Sensitive Information |
mik-patient |
No rating |
2023-02-08 |
| Suspicious login app ships old league/flysystem version |
Violation of Secure Design Principles |
mik-patient |
No rating |
2023-02-08 |
| Mail app - blind SSRF via smtpHost parameter |
Server-Side Request Forgery (SSRF) |
supr4s |
Low |
2023-02-06 |
| Mail app - Blind SSRF via Sierve server fonctionnality and sieveHost parameter |
Server-Side Request Forgery (SSRF) |
supr4s |
Low |
2023-02-06 |
| Mail app - blind SSRF via imapHost parameter |
Server-Side Request Forgery (SSRF) |
supr4s |
Low |
2023-02-06 |
| Reference caching can leak data to unauthorized users |
Insecure Storage of Sensitive Information |
systemkeeper |
Medium |
2023-01-13 |
| CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link |
Cross-Site Request Forgery (CSRF) |
lukasreschke |
Medium |
2023-01-11 |
| Passcode bypass on Talk Android app |
Improper Access Control - Generic |
ctulhu |
Low |
2023-01-09 |
| Possibility to delete files attached to deck cards of other users |
Insecure Direct Object Reference (IDOR) |
supr4s |
Low |
2023-01-09 |
| Missing character limitation allows to put generate a database error |
Uncontrolled Resource Consumption |
errorsec_ |
Low |
2023-01-09 |
| HEIC image preview can be used to invoke Imagick |
Information Disclosure |
lukasreschkenc |
Critical |
2023-01-07 |
| Guests can continue to receive video streams from call after being removed from a conversation |
Privacy Violation |
daniel_calvino_sanchez |
Medium |
2022-12-31 |
| No password length limit when creating a user as an administrator |
Uncontrolled Resource Consumption |
not_hackeronefour |
Low |
2022-12-31 |
| Disabled download shares still allow download through preview images |
Improper Access Control - Generic |
juliushaertl |
Low |
2022-12-31 |
| SMTP Command Injection in Appointment Emails via Newlines |
CRLF Injection |
spaceraccoon |
Medium |
2022-12-27 |
| nextcloudcmd incorrectly trusts bad TLS certificates |
Improper Certificate Validation |
tobiaskaminsky |
Low |
2022-12-25 |
| Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate |
Improper Access Control - Generic |
andyscherzinger |
Low |
2022-12-25 |
| Missing length validation of user displayname allows to generate an SQL error |
Uncontrolled Resource Consumption |
errorsec_ |
Low |
2022-12-20 |
| [user_oidc] Stored XSS via Authorization Endpoint - Safari-Only |
Cross-site Scripting (XSS) - Stored |
lauritz |
Low |
2022-12-18 |
| [user_oidc] Unencrypted Communications |
Cleartext Transmission of Sensitive Information |
lauritz |
Low |
2022-12-18 |
| Exposed Log File Lead to Full Internal path disclosure at [https://nextcloud.com/wp-content/debug.log] |
Information Disclosure |
0x3bdo |
Low |
2022-12-15 |
| A vulnerability classified as critical has been found in gsi-openssh-server 7.9p1 on Fedora (Connectivity Software) on server (http://95.217.64.181:22 |
None supplied |
ibrahim71192 |
Low |
2022-12-10 |
| [nextcloud/server] Moment.js vulnerable to Inefficient Regular Expression Complexity |
Improper Authentication - Generic |
mik-patient |
No rating |
2022-12-09 |
| Calendar name length not validated before writing to database |
Uncontrolled Resource Consumption |
errorsec_ |
Low |
2022-12-01 |
| Exception logging in Sharepoint app reveals clear-text connection details |
Cleartext Storage of Sensitive Information |
kichernde_erbse |
Medium |
2022-11-26 |
| Profile of disabled user stays accessible |
Improper Access Control - Generic |
mikaelgundersen |
Low |
2022-11-26 |
| Database resource exhaustion for logged-in users via sharee recommendations with circles |
Uncontrolled Resource Consumption |
michag86 |
Medium |
2022-11-26 |
| XSS in Desktop Client in call notification popup |
Resource Injection |
b911bade858ce8e6a0f50f8 |
Low |
2022-11-25 |
| XSS in Desktop Client via user status and information |
Resource Injection |
b911bade858ce8e6a0f50f8 |
Low |
2022-11-25 |
| XSS in Desktop Client in the notifications |
Cross-site Scripting (XSS) - Generic |
b911bade858ce8e6a0f50f8 |
Low |
2022-11-25 |
| Generated passwords are not fully validated by HIBPValidator |
Weak Cryptography for Passwords |
bjoernv |
Low |
2022-10-01 |
| SSRF via potential filter bypass with too lax local domain checking |
Server-Side Request Forgery (SSRF) |
tomorrowisnew_ |
Low |
2022-09-16 |
| Last video frame is still sent after video is disabled in a call |
Privacy Violation |
daniel_calvino_sanchez |
Medium |
2022-09-16 |
| Information exposure in in guzzlehttp/guzzle (https://github.com/nextcloud/3rdparty/tree/master/guzzlehttp/guzzle) |
Information Exposure Through Debug Information |
ro0t_elqayser |
Low |
2022-09-16 |
| Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app |
Path Traversal |
luchua |
Low |
2022-09-11 |
| Unauthenticated SSRF in 3rd party module "cerdic/csstidy" |
Server-Side Request Forgery (SSRF) |
eg42 |
Medium |
2022-09-03 |
| Brute force protections don't work |
Privacy Violation |
nickvergessen |
Low |
2022-09-03 |
| Password disclosure in initial setup of Mail App |
Cleartext Storage of Sensitive Information |
anna_larch |
Low |
2022-09-03 |
| Federated share accepting/declining is not logged in audit log |
Business Logic Errors |
rtod |
Low |
2022-09-03 |
| Lack of Brute force protection while joining video call in talk section which is password protected |
Privacy Violation |
errorsec_ |
Low |
2022-08-08 |
| @nextcloud/logger NPM package brings vulnerable ansi-regex version |
Uncontrolled Resource Consumption |
ro0t_elqayser |
Low |
2022-07-29 |
| Ownership check missing when updating or deleting attachments |
Insecure Direct Object Reference (IDOR) |
kesselb |
Medium |
2022-07-06 |
| SMTP Command Injection in iCalendar Attachments to Emails via Newlines |
CRLF Injection |
spaceraccoon |
Medium |
2022-07-04 |
| Federated editing allows iframing possibly malicious remotes |
Improper Access Control - Generic |
rtod |
Low |
2022-07-02 |
| bypass forced password protection via circles app |
Business Logic Errors |
michag86 |
Low |
2022-06-19 |
| Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic |
Privacy Violation |
michag86 |
Low |
2022-06-09 |
| user can bypass password enforcement when federated sharing is enabled |
None supplied |
michag86 |
No rating |
2022-06-01 |
| Improper input-size validation on the user new session name can result in server-side DDoS. |
Uncontrolled Resource Consumption |
demonia |
Medium |
2022-05-31 |
| Control character filtering misses leading and trailing whitespace in file and folder names |
CRLF Injection |
david_h1 |
Medium |
2022-05-27 |
| Notification implicit PendingIntent in com.nextcloud.client allows to access contacts |
Information Disclosure |
imnotyouaa_test |
Low |
2022-05-27 |
| Error in Deleting Deck cards attachment reveals the full path of the website |
Information Disclosure |
ctulhu |
Low |
2022-05-20 |
| Nextcloud Deck : Possibility for anyone to add a stack with existing tasks on anyone's board |
Insecure Direct Object Reference (IDOR) |
supr4s |
Medium |
2022-05-20 |
| Sensitive files/ data exists post deletion of user account |
Improper Access Control - Generic |
geekysherlock |
Low |
2022-05-20 |
| SQL injextion via vulnerable doctrine/dbal version |
SQL Injection |
nickvergessen |
High |
2022-05-11 |
| com.nextcloud.client bypass the protection lock in andoid app v 3.18.1 latest version. |
Improper Access Control - Generic |
dashingjaved |
Low |
2022-04-30 |
| Possibility to force an admin to install recommended applications |
Cross-Site Request Forgery (CSRF) |
igorpyan |
Low |
2022-04-29 |
| Folder architecture and Filesizes of private file drop shares can be getten |
Information Disclosure |
shakierbellows |
Medium |
2022-04-09 |
| User files is disclosed when someone called while the screen is locked |
Information Disclosure |
ctulhu |
Medium |
2022-03-14 |
| High memory usage for generating preview of broken image |
Incorrect Calculation of Buffer Size |
fancycode |
Low |
2022-03-09 |
| objectId in share location can be set to open arbitrary URL or Deeplinks |
Business Logic Errors |
ctulhu |
Medium |
2022-03-08 |
| When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL |
Business Logic Errors |
ctulhu |
Medium |
2022-02-15 |
| Information Exposure Through Directory Listing vulnerability |
Information Exposure Through Directory Listing |
b82e8b928c2b3d60a82d6ec |
Medium |
2022-02-11 |
| Leaking sensitive information through JSON file path. |
Insecure Storage of Sensitive Information |
rohitburke |
Medium |
2022-02-07 |
| RCE on 17 different Docker containers on your network |
Code Injection |
0x0luke |
Critical |
2021-10-20 |
| End to end encryption public key is not properly verified on Desktop and Android |
None supplied |
rtod |
Medium |
2021-09-23 |
| Clients do not verify server public key |
None supplied |
rtod |
Low |
2021-09-23 |
| Bypass of privacy filter / tracking pixel blocker |
Information Disclosure |
foobar7 |
Medium |
2021-08-11 |
| public webdav endpoint not bruteforce protected |
None supplied |
rtod |
Low |
2021-08-11 |
| index.php/apps/files_sharing/shareinfo endpoint is not properly protected |
Denial of Service |
rtod |
Medium |
2021-08-11 |
| Add to your nextcloud endpoint is not properly protected |
None supplied |
rtod |
Low |
2021-08-11 |
| ApiService#fetch serves content as text/html and inline Content-Disposition |
Cross-site Scripting (XSS) - Stored |
lukasreschkenc |
No rating |
2021-08-11 |
| Text app leaks file path of shared files |
Information Disclosure |
lukasreschkenc |
Low |
2021-08-11 |
| Download of file with arbitrary extension via injection into attachment header |
Code Injection |
foobar7 |
Medium |
2021-08-11 |
| Ratelimits do not apply to OCS DataResponse |
Brute Force |
lukasreschkenc |
None |
2021-08-11 |
| Virtual Data Room / Hide download on collabora is easy to bypass |
Improper Access Control - Generic |
rtod |
High |
2021-08-07 |
| Webauthn tokens are not removed on user deletion |
Improper Access Control - Generic |
rtod |
Medium |
2021-08-07 |
| Two-factor authentication enforcement bypass |
None supplied |
abdullah-a |
High |
2021-07-31 |
| Leak arbitrary file under nextcloud android client privacy directory |
None supplied |
wester0x01 |
Medium |
2021-07-17 |
| Ransomware protection is missing extentions take 2 |
None supplied |
rtod |
Low |
2021-07-16 |
| User deletion is not handled properly everywhere |
None supplied |
rtod |
Medium |
2021-07-15 |
| Scoped apptokens can be changed by that very apptoken |
Improper Access Control - Generic |
rtod |
High |
2021-07-15 |
| Admin audit is not properly logging unsetting of expiration date |
None supplied |
rtod |
Low |
2021-07-15 |
| Ratelimiting can be bypassed using IPv6 subnets |
Brute Force |
sjw |
Low |
2021-07-01 |
| Malicious apps can crash Nextcloud Android client by sending malformed intents |
None supplied |
bigbug |
No rating |
2021-06-17 |
| Session fixation on public talk links |
Session Fixation |
rtod |
Medium |
2021-06-16 |
| Android app does not clear end to end encryption keys |
None supplied |
rtod |
Low |
2021-06-16 |
| Trusted server shared secret stored unencrypted in the database |
Improper Access Control - Generic |
rtod |
Low |
2021-06-16 |
| Federated shares are not password protected |
Improper Authentication - Generic |
rtod |
Medium |
2021-06-16 |
| Ransomware protection is missing extentions |
None supplied |
rtod |
Low |
2021-06-16 |
| No admin audit log for auth tokens |
None supplied |
rtod |
Low |
2021-06-16 |
| No admin audit entry for enabling/disabling 2FA |
None supplied |
rtod |
Low |
2021-06-16 |
| Serverinfo endpoints are not bruteforce protected nor are tokens properly generated |
None supplied |
rtod |
Low |
2021-06-16 |
| Default Nextcloud Server and Android Client leak sharee searches to Nextcloud |
Improper Access Control - Generic |
rtod |
Low |
2021-06-15 |
| File drop public link can also be converted to federated share |
Improper Access Control - Generic |
rtod |
Low |
2021-06-10 |
| Trusted servers exchange can be triggered by attacker |
Improper Access Control - Generic |
rtod |
Medium |
2021-06-10 |
| Default settings leak federated cloud id to lookup server of all users |
Information Disclosure |
rtod |
Low |
2021-06-10 |
| Attacker can obtain write access to any federated share/public link |
Improper Authentication - Generic |
rtod |
High |
2021-06-10 |
| End to end encryption folder locking is not properly protected |
Improper Access Control - Generic |
rtod |
Low |
2021-06-10 |
| SSL certificate not validated when registering with a provider |
Cryptographic Issues - Generic |
icewater |
Medium |
2021-06-02 |
| DoS due to improper input validation can break the admin access into the user data will disallow him from editing that user's data. |
Uncontrolled Resource Consumption |
demonia |
High |
2021-06-01 |
| Take over a mail account due missing validation of account id |
Improper Access Control - Generic |
kesselb |
Medium |
2021-06-01 |
| Create alias does not validate account id |
Improper Access Control - Generic |
kesselb |
Medium |
2021-06-01 |
| Default Nextcloud server config and iOS Nextcloud client leak sharee searches to Nextcloud |
Improper Access Control - Generic |
rtod |
Low |
2021-05-31 |
| Talk discloses turn server to anybody |
None supplied |
rtod |
Low |
2021-05-26 |
| Nextcloud deck sharee search leaks searches to lookupserver by default |
Improper Access Control - Generic |
rtod |
Low |
2021-05-26 |
| Default Nextcloud allows http federated shares |
None supplied |
rtod |
Medium |
2021-05-11 |
| Nextcloud update checks leaks information |
Information Disclosure |
rtod |
None |
2021-05-01 |
| Unexpected federated shares added via public link |
Improper Access Control - Generic |
rtod |
Medium |
2021-04-26 |
| Password policy changes not enforced for existing passwords |
Weak Cryptography for Passwords |
rtod |
Low |
2021-04-26 |
| bypassing dashboard without account + Information disclosure trough websockets |
Improper Access Control - Generic |
deb0con |
High |
2021-04-20 |
| No set limit to try to login in "https://auth.nextcloud.com/auth/realms/master/protocol/openid-connect/auth" page. |
Improper Restriction of Authentication Attempts |
syachineko |
No rating |
2021-04-20 |
| Nextcloud Desktop Client RCE via malicious URI schemes |
Resource Injection |
7a69 |
Medium |
2021-04-15 |
| HTML Injection on "polls" app - comments section (possibly XSS) |
Cross-site Scripting (XSS) - Generic |
supr4s |
Low |
2021-03-31 |
| Clickjacking URLS |
None supplied |
tinkerermaruthu |
No rating |
2021-03-10 |
| Formula Injection vulnerability in CSV export feature |
Code Injection |
6661620a |
Medium |
2021-03-04 |
| The password of a mail share is not set if the password is given when the share is created (Nextcloud < 18) |
Improper Access Control - Generic |
daniel_calvino_sanchez |
Low |
2021-03-04 |
| Acting under any different user via DB-stored credentials |
Improper Access Control - Generic |
alexanderhofstaetter |
High |
2021-03-01 |
| Reflected XSS when renaming a file with a vulnerable name which results in an error |
Cross-site Scripting (XSS) - Reflected |
yzy9951 |
Medium |
2021-03-01 |
| External storage app saves password for all users in the database |
Storing Passwords in a Recoverable Format |
alacn1 |
High |
2021-03-01 |
| Social App does not validate server certificates for outgoing connections |
Improper Certificate Validation |
sanktjodel |
Medium |
2020-11-17 |
| Leaked of Profile Image from URL changing |
None supplied |
myat_htut_kyaw |
No rating |
2020-11-17 |
| Improper access control to messages of Social app |
Improper Access Control - Generic |
sanktjodel |
Medium |
2020-11-17 |
| Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file |
Violation of Secure Design Principles |
yahe |
Low |
2020-11-05 |
| Downgrade encryption scheme and break integrity through known-plaintext attack |
Cryptographic Issues - Generic |
yahe |
Medium |
2020-11-05 |
| No rate limiting for confirmation email lead to huge Mass mailings |
Business Logic Errors |
kittytrace |
Medium |
2020-11-04 |
| Reduced purmations on encryption |
Cryptographic Issues - Generic |
lynn-stephenson |
Low |
2020-10-28 |
| The password of a mail share is not hashed if the password is given when the share is created |
Plaintext Storage of a Password |
daniel_calvino_sanchez |
Low |
2020-10-28 |
| PIN for passwordless WebAuthn is asked for but not verified |
Improper Authentication - Generic |
dschuermann |
Medium |
2020-10-28 |
| Bypass hide download Nextcloud Share |
Business Logic Errors |
shiniko |
High |
2020-10-05 |
| Recently change email but still login with old email |
Improper Authentication - Generic |
dream_changer |
High |
2020-09-29 |
| Access control missing while viewing the attachments in the "All boards" |
Insecure Direct Object Reference (IDOR) |
divyesh01 |
Medium |
2020-09-29 |
| Re-Sharing allows increase of privileges |
Improper Privilege Management |
alx_il |
Medium |
2020-09-28 |
| Missing server side controls when editing the board’s sharing permissions per user |
Improper Access Control - Generic |
warsocks |
High |
2020-09-28 |
| No rate limiting on sinup page |
Business Logic Errors |
xam24 |
Low |
2020-09-28 |
| Stored XSS in collabora via user name |
Cross-site Scripting (XSS) - Stored |
meliodas19 |
Low |
2020-09-19 |
| Clear text storage of proxy parameters and passwords |
Cleartext Storage of Sensitive Information |
rbcafe |
Low |
2020-09-16 |
| Possible denial of service when entering a loooong password |
Brute Force |
guoxuxin |
Medium |
2020-09-16 |
| Linux client is vulnerable to directory traversal when downloading files |
Path Traversal |
icewater |
Medium |
2020-08-17 |
| XSS in desktop client via invalid server address on login form |
Cross-site Scripting (XSS) - Generic |
jplopezy |
Medium |
2020-08-17 |
| RTLO character allowed in shared files |
UI Redressing (Clickjacking) |
inhibitor181 |
Medium |
2020-08-17 |
| Missing memory corruption protection on Windows release built |
Memory Corruption - Generic |
secconsult |
Medium |
2020-08-14 |
| Memory Leak in OCUtil.dll library in Desktop client can lead to DoS |
Denial of Service |
cwave |
Medium |
2020-08-06 |
| Arbitrary code execution in desktop client via OpenSSL config |
Code Injection |
l00ph0le |
Medium |
2020-08-05 |
| XSS in image metadata field |
Cross-site Scripting (XSS) - Stored |
yzy9951 |
Medium |
2020-08-05 |
| Anonymous file drop page ignores user profile visibility restrictions |
Information Disclosure |
pshknst |
No rating |
2020-08-03 |
| Possible denial of service when entering a loooong password |
Brute Force |
xcheater |
Medium |
2020-07-29 |
| Contacts menu (not app) fails to restrict (to local groups) for contacts from federated servers |
Information Disclosure |
nursoda |
Low |
2020-07-25 |
| Non-admin users can trigger writes to memcached by entering a malicious server as a share URL |
CRLF Injection |
jmdx |
Medium |
2020-07-09 |
| Unrestricted file upload on the image of contacts |
Business Logic Errors |
hitman_47 |
Low |
2020-07-08 |
| PHPUnit is included in groupfolders release package potentially causing RCE |
None supplied |
ledfan |
No rating |
2020-06-25 |
| Cross site scripting - XSRF Token |
Cross-site Scripting (XSS) - Generic |
a9hora |
Medium |
2020-06-14 |
| Mail does not verify IMAP/SMTP host connected via TLS |
Improper Certificate Validation |
christophwurst |
Medium |
2020-06-03 |
| Allows any user to share their "Root" level folder by sharing "." |
Improper Access Control - Generic |
chevonphillip |
None |
2020-06-03 |
| Code injection possible with malformed Nextcloud Talk chat commands |
Code Injection |
covert-spectre |
High |
2020-06-02 |
| Code injection possible with malformed Nextcloud Talk chat commands |
Code Injection |
covert-spectre |
High |
2020-06-02 |
| XSS in PDF Viewer |
Cross-site Scripting (XSS) - Generic |
skewbed |
Low |
2020-05-24 |
| Missing ownership check on remote wipe endpoint |
Insecure Direct Object Reference (IDOR) |
hitman_47 |
High |
2020-04-19 |
| User can delete data in shared folders he's not autorized to access |
Improper Access Control - Generic |
jlord87 |
Medium |
2020-04-10 |
| Code injection in macOS Desktop Client |
Code Injection |
r3ggi-on-h1 |
Low |
2020-04-10 |
| "Secure View" aka "Hide Download" can be bypassed easily |
Improper Access Control - Generic |
at5djl3pwjmunyutnoatp |
High |
2020-04-10 |
| Self xss |
Cross-site Scripting (XSS) - Generic |
iwallplace |
Low |
2020-04-05 |
| potential RCE and XSS via file upload requiring user account and default settings |
Code Injection |
rcejules |
High |
2020-04-01 |
| Docker image with FPM is vulnerable to CVE-2019-11043 |
Code Injection |
beched |
Critical |
2020-03-14 |
| SSRF protection bypass |
Server-Side Request Forgery (SSRF) |
foobar7 |
Medium |
2020-03-14 |
| Only the file extensions are checked, not the MIME types as configured |
None supplied |
teaport |
Medium |
2020-03-14 |
| Remote code execution via path traversal in Zip extraction in the Extract app |
Path Traversal |
emilvirkki |
High |
2020-03-07 |
| http://www.nextcloud.com/wp-includes/js/swfupload/swfupload.swf allows open redirect / site defacement |
Open Redirect |
todayisnew |
No rating |
2020-03-07 |
| [Reflected XSS] In Request URL |
Cross-site Scripting (XSS) - Reflected |
nstikhomirov |
Low |
2020-03-01 |
| Username and Access Token Disclousure |
Violation of Secure Design Principles |
jannikg |
Low |
2020-03-01 |
| User with read-only access to a share can gain write access to sub-folders in the share |
Privilege Escalation |
phil-davis |
Medium |
2020-03-01 |
| Persistent XSS via filename in projects |
Cross-site Scripting (XSS) - Stored |
foobar7 |
Low |
2020-03-01 |
| Access to all files of remote user through shared file |
Information Disclosure |
xuesheng |
Medium |
2020-03-01 |
| No session logout after changing password & alsoandroid sessions not shown in sessions list so they can be deleted |
Violation of Secure Design Principles |
whitehattushu |
No rating |
2020-02-09 |
| File-drop content is visible through the gallery app |
None supplied |
nursoda |
Medium |
2020-01-31 |
| Arbitrary SQL command injection |
SQL Injection |
leonklingele |
Critical |
2019-07-21 |
| Remote Code Execution via Extract App Plugin |
OS Command Injection |
hdbreaker |
High |
2019-05-30 |
| Session fixation in password protected public download. |
Session Fixation |
frankspierings |
Low |
2018-10-25 |
| Authentication Issue |
Improper Authentication - Generic |
bugdiscloseguys |
No rating |
2018-10-25 |
| twofactor_auth bypassable if provider fails to load |
Improper Authentication - Generic |
cyphar |
Low |
2018-09-27 |
| Shared file link - password protection bypass under certain conditions |
Information Disclosure |
icewater |
Medium |
2018-09-25 |
| Access control issue -- [Allow file system access not validated when using session auth] |
Improper Access Control - Generic |
born2hack |
Medium |
2018-09-25 |
| HTML injection with AutoComplete suggestions |
Cross-site Scripting (XSS) - Generic |
nickvergessen |
None |
2018-08-10 |
| [FG-VD-17-063] NextCloud Insufficient Attack Protection Vulnerability Notification |
Code Injection |
yzy9951 |
Low |
2018-07-29 |
| bypass of 2FA |
Improper Authentication - Generic |
kaysbugs |
High |
2018-07-29 |
| OAuth2 Access Token and App Password Security Vulnerability |
Use of a Key Past its Expiration Date |
noumar |
Medium |
2018-07-21 |
| Accessing to download.nextcloud.com from original ip adreess | insecure Download |
Cleartext Transmission of Sensitive Information |
iheb_hamad |
No rating |
2018-07-12 |
| The session token in the URL |
Information Disclosure |
mandark |
Medium |
2018-06-19 |
| File access control rules not enforced on image files |
Improper Access Control - Generic |
reinism |
Low |
2018-06-15 |
| Disclosed Version of PORTS SSH|HTTP|SSL |
Information Disclosure |
iheb_hamad |
Low |
2018-06-14 |
| Banner Grabbing - Apache Server Version Disclousure |
Information Disclosure |
cybertiger |
No rating |
2018-05-17 |
| Banner Grabbing - Apache Server Version Disclosure |
Information Disclosure |
kistimat |
No rating |
2018-05-17 |
| Information Exposure Through Directory Listing |
Information Exposure Through Directory Listing |
mobius07 |
None |
2018-05-17 |
| Possible RCE |
Command Injection - Generic |
paulos_ |
No rating |
2018-03-08 |
| Email Notification should be get while changing password on apps.nextcloud.com |
None supplied |
an0nym0us |
No rating |
2018-02-28 |
| Registered users can change app password permissions for any user |
Insecure Direct Object Reference (IDOR) |
icewater |
Low |
2018-02-08 |
| WordPress < 4.8.2 vulnerable to multiple attacks |
Violation of Secure Design Principles |
luckydivino |
Low |
2017-09-27 |
| IDOR unsubscribe Anyone from NextClouds Newsletters by knowing their Email |
Insecure Direct Object Reference (IDOR) |
babayaga_ |
Medium |
2017-09-16 |
| Wordpress Vulnerable to Potential Unauthorized Password Reset |
None supplied |
japz |
Low |
2017-08-15 |
| https://xmpp.nextcloud.com///;@www.google.com allows open redirect |
Open Redirect |
todayisnew |
No rating |
2017-08-13 |
| Directory Listing In Subdomain Of nextcloud.com |
Information Exposure Through Directory Listing |
xyberwolf |
Low |
2017-07-14 |
| ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) |
Denial of Service |
js_whitehat |
High |
2017-06-08 |
| DOM XSS vulnerability in search dialogue (NC-SA-2017-007) |
Cross-site Scripting (XSS) - Generic |
pain_ |
Low |
2017-06-07 |
| Stored XSS in Gallery application (NC-SA-2017-010) |
Cross-site Scripting (XSS) - Generic |
lukasreschke |
Low |
2017-06-06 |
| Share tokens for public calendars disclosed (NC-SA-2017-011) |
Information Exposure Through Directory Listing |
lukasreschke |
Medium |
2017-06-06 |
| Missing Rate Limiting protection leading to mass triggering of e-mails |
Violation of Secure Design Principles |
giligails |
Medium |
2017-06-05 |
| Missing Rate Limit for Current Password field in nextcloud.com |
Improper Authentication - Generic |
sumitsahoo |
Low |
2017-05-20 |
| Privilege escalation - Normal user can somehow make admin to delete shared folders |
Privilege Escalation |
ayid |
High |
2017-05-20 |
| Dav sharing permissions issue |
Privilege Escalation |
nickvergessen |
Medium |
2017-05-20 |
| Clickjacking In https://demo.nextcloud.com |
UI Redressing (Clickjacking) |
xsszeeshan |
Critical |
2017-05-20 |
| Content spoofing due to the improper behavior of the 403 page |
Violation of Secure Design Principles |
t-pwn |
No rating |
2017-05-18 |
| Content spoofing due to the improper behavior of the 403 page |
None supplied |
t-pwn |
No rating |
2017-05-18 |
| Email Spoofing Vulnerability from nextcloud. |
None supplied |
cloudyvirus |
High |
2017-05-18 |
| Reflected XSS in error pages (NC-SA-2017-008) |
Cross-site Scripting (XSS) - Reflected |
sinkmanu |
Low |
2017-05-15 |
| Possible SSRF in email server settings(SMTP mode) |
Server-Side Request Forgery (SSRF) |
xifengweiyu |
Medium |
2017-05-15 |
| Content (Text) Injection at https://nextcloud.com |
Violation of Secure Design Principles |
xifengweiyu |
Low |
2017-05-15 |
| Nextcloud Server Remote Command Execution |
None supplied |
sniperpex |
High |
2017-05-10 |
| Limitation of app specific password scope can be bypassed (NC-SA-2017-009) |
Privilege Escalation |
makosdel |
Low |
2017-05-08 |
| Calendar and addressbook names disclosed (NC-SA-2017-012) |
Information Disclosure |
juliushaertl |
Low |
2017-05-08 |
| I am because bug |
None supplied |
b69b1b97b19c1c71b0eed85 |
Critical |
2017-05-04 |
| Content Spoofing/Text Injection in https://demo.nextcloud.com |
Violation of Secure Design Principles |
smit |
Low |
2017-04-28 |
| Update php-saml library to 2.10.5 |
Cryptographic Issues - Generic |
lukasreschke |
Low |
2017-04-28 |
| Cross Site Scripting |
None supplied |
lulliii |
No rating |
2017-04-26 |
| information disclose |
Information Disclosure |
abdul1ah |
No rating |
2017-04-25 |
| The email API to test email-server settings is unlimited and can be used as a email bomb |
Improper Access Control - Generic |
xifengweiyu |
Medium |
2017-04-24 |
| XSS on IOS app via HTML rendering |
Cross-site Scripting (XSS) - Stored |
bugdiscloseguys |
Low |
2017-04-20 |
| The email API to reset password is unlimited and can be used as a email bomb |
Improper Access Control - Generic |
xifengweiyu |
Low |
2017-04-20 |
| failure to invalidate session on password change |
Improper Authentication - Generic |
pradeepch99 |
No rating |
2017-04-20 |
| Information disclosure |
Information Disclosure |
amirisme |
No rating |
2017-04-20 |
| SSRF at apps.nextcloud.com/developer/apps/releases/new |
Server-Side Request Forgery (SSRF) |
t-pwn |
No rating |
2017-04-20 |
| GIT Detected |
Information Disclosure |
lulliii |
No rating |
2017-04-20 |
| bug reporting template encourages users to paste config file with passwords |
Information Disclosure |
hanno |
Medium |
2017-04-19 |
| CSRF token validation is missing |
Cross-Site Request Forgery (CSRF) |
596a96cc7bf9108cd896f33c4 |
Medium |
2017-04-19 |
| Content Spoofing/Text Injection in nextcloud.com |
Violation of Secure Design Principles |
demo--hacker |
Low |
2017-04-19 |
| https://portal.nextcloud.com/.htaccess file is readable |
Information Disclosure |
sahilmk |
No rating |
2017-04-14 |
| Invalid request may lead content spoofing for phishing |
Violation of Secure Design Principles |
d4rk_g1rl |
No rating |
2017-04-12 |
| Design Issues on ( ███ ) Lead to show ( IPS of Users ) |
None supplied |
m7mdharoun |
Medium |
2017-04-05 |
| Android - Possible to intercept broadcasts about uploaded files |
Information Disclosure |
bagipro |
No rating |
2017-03-23 |
| Server version/OS type disclosure via HTTP Response Header |
None supplied |
ryudox |
Low |
2017-03-23 |
| Reflected XSS in U2F plugin by shipping the example endpoints |
Cross-site Scripting (XSS) - Generic |
lukasreschke |
High |
2017-03-22 |
| Bypassing quota limit |
Privilege Escalation |
nordin |
None |
2017-03-10 |
| Version 4.7.2 of wordpress is vulnerable |
None supplied |
demo--hacker |
High |
2017-03-07 |
| Content Spoofing in "files" app |
Violation of Secure Design Principles |
ahsan |
Low |
2017-03-06 |
| Group admin can remove user from all his groups via API |
None supplied |
nickvergessen |
None |
2017-02-23 |
| Review remote code execution in SwiftMailer |
Code Injection |
lukasreschke |
None |
2017-02-18 |
| xss for admin of https://newsletter.nextcloud.com |
Cross-site Scripting (XSS) - Generic |
sergeym |
No rating |
2017-02-17 |
| Drone Nextcloud |
None supplied |
rbcafe |
No rating |
2017-02-12 |
| User Information Disclosure via REST API |
Information Disclosure |
raunak2002 |
No rating |
2017-02-11 |
| Missing SPF Flags on nextcloud.com |
Violation of Secure Design Principles |
ph_spade |
No rating |
2017-02-10 |
| Bypass permissions |
Privilege Escalation |
secator |
Medium |
2017-02-09 |
| Filename enumeration && DoS |
Denial of Service |
secator |
Low |
2017-02-09 |
| Wordpress 4.7.1 |
None supplied |
rbcafe |
Low |
2017-01-27 |
| Email Spoofing |
Violation of Secure Design Principles |
khalidamin |
No rating |
2017-01-25 |
| Nextcloud.com is vulnerable to SWEET32 attack |
Cryptographic Issues - Generic |
pkkothawade |
No rating |
2017-01-25 |
| HTTP-Basic Authentication on logs.nextcloud.com |
Violation of Secure Design Principles |
rbcafe |
No rating |
2017-01-17 |
| Avatar image upload and bypass real image verification |
Violation of Secure Design Principles |
dremos |
No rating |
2017-01-15 |
| Disclosure of administrators via JSON on nextcloud.com Wordpress |
Information Disclosure |
rbcafe |
No rating |
2017-01-13 |
| WordPress <= 4.6.1 Stored XSS Via Theme File |
Cross-site Scripting (XSS) - Generic |
madrobot |
No rating |
2017-01-13 |
| Bad content-type in response header when getting document can lead to html injection |
Cross-site Scripting (XSS) - Generic |
trichimtrich |
Medium |
2017-01-12 |
| URI scheme bypass in mail app lead to HTML content spoof and opener control |
Violation of Secure Design Principles |
trichimtrich |
No rating |
2017-01-12 |
| Files Drop: WebDAV endpoint is leaking existence of resources |
Information Disclosure |
lukasreschke |
Low |
2017-01-01 |
| Stored XSS on new Calling plugin (spreed) |
Cross-site Scripting (XSS) - Generic |
coolboss |
High |
2016-12-13 |
| Share owner has no possibility to list all existing derived shares |
Improper Authentication - Generic |
detroitsmash |
No rating |
2016-12-13 |
| Password reset link remains valid after email change |
Improper Authentication - Generic |
rootxflood |
No rating |
2016-12-13 |
| [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter |
Violation of Secure Design Principles |
ahsan |
No rating |
2016-12-05 |
| Login Hints on Admin Panel |
Violation of Secure Design Principles |
madhur_bhargava |
Medium |
2016-12-05 |
| BruteForce in to Admin Account |
Improper Authentication - Generic |
hackerwahab |
High |
2016-12-04 |
| Wordpress Version Disclosure Bug On Nextcloud |
Information Disclosure |
cr4zyrud |
Low |
2016-12-04 |
| Reflected XSS in Gallery App |
Cross-site Scripting (XSS) - Generic |
soreks |
Medium |
2016-12-03 |
| \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype |
Cross-site Scripting (XSS) - Generic |
lukasreschke |
Medium |
2016-12-03 |
| IDOR - Disable sharing |
Privilege Escalation |
dalt |
Low |
2016-12-03 |
| Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ |
Violation of Secure Design Principles |
config |
Low |
2016-12-02 |
| xss on demo.nextcloud.com due to outdated version |
Cross-site Scripting (XSS) - Generic |
bm666 |
No rating |
2016-11-26 |
| More content spoofing through dir param in the files app |
Violation of Secure Design Principles |
lmx |
Low |
2016-11-04 |
| [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS |
Cross-site Scripting (XSS) - Generic |
ayid |
Medium |
2016-11-02 |
| Content spoofing due to the improper behavior of the 403 page in Private Server |
Violation of Secure Design Principles |
ahsan |
None |
2016-10-31 |
| Content spoofing in lookup.nextcloud.com |
Violation of Secure Design Principles |
csanuragjain |
Low |
2016-10-10 |
| Slow Http attack on nextcloud(DOS) |
Denial of Service |
drosera |
No rating |
2016-10-05 |
| Arbitrary File Upload in Logo & Log in image Theming setting. |
Cross-site Scripting (XSS) - Generic |
bastianwelfrid |
No rating |
2016-10-05 |
| demo.nextcloud.com: Content spoofing due to default Apache Error Page |
Violation of Secure Design Principles |
sysecure |
No rating |
2016-09-29 |
| Password Reset Link issue |
Improper Authentication - Generic |
i1ackerone |
No rating |
2016-09-23 |
| Unauthenticated Stored xss |
Cross-site Scripting (XSS) - Generic |
spetr0x |
No rating |
2016-09-13 |
| Directory listening enabled in: 88.198.160.130 |
Information Disclosure |
sandh0t |
No rating |
2016-09-04 |
| Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads) |
Cross-site Scripting (XSS) - Generic |
shivakumar143 |
No rating |
2016-08-31 |
| Content spoofing in cloud.nextcloud.com |
Violation of Secure Design Principles |
ahsan |
No rating |
2016-08-30 |
| demo.nextcloud.com: Content spoofing due to default Apache Error Page |
Violation of Secure Design Principles |
cutejoker |
No rating |
2016-08-30 |
| Reflected Self-XSS Vulnerability in the Comment section of Files Information |
Cross-site Scripting (XSS) - Generic |
naveenv |
No rating |
2016-08-30 |
| Content Injection - demo.nextcloud.com |
Violation of Secure Design Principles |
spodermen |
No rating |
2016-08-26 |
| Content Injection - apps.nextcloud.com |
Violation of Secure Design Principles |
spodermen |
No rating |
2016-08-26 |
| Information Disclosure of .htaccess file in Private Server/Subdomain |
Information Disclosure |
ahsan |
No rating |
2016-08-26 |
| Wordpress: Directory Traversal / Denial of Serivce |
Information Disclosure |
tbehroz |
No rating |
2016-08-26 |
| Expired SSL certificate |
Violation of Secure Design Principles |
goethe_ |
No rating |
2016-08-25 |
| Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11 |
Violation of Secure Design Principles |
fransrosen |
No rating |
2016-08-17 |
| Bookmarks: Delete all existing bookmarks of a user |
Privilege Escalation |
ctee |
No rating |
2016-08-08 |
| help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running |
Denial of Service |
shoveller |
No rating |
2016-07-27 |
| Read-only share recipient can restore old versions of file |
Improper Authentication - Generic |
bugdiscloseguys |
No rating |
2016-07-19 |
| Log pollution can lead to HTML Injection. |
Cross-site Scripting (XSS) - Generic |
apok |
No rating |
2016-07-19 |
| Uploading files to a folder where invited user don't have any EDIT privilege |
Improper Authentication - Generic |
detroitsmash |
No rating |
2016-07-19 |
| Stored XSS on Share-popup of a directory's Gallery-view |
Cross-site Scripting (XSS) - Generic |
fransrosen |
No rating |
2016-07-19 |
| Nextcloud server software: Content Spoofing |
Violation of Secure Design Principles |
ishahriyar |
No rating |
2016-07-19 |
| newsletter.nextcloud.com: Bypass firewall protection |
Improper Authentication - Generic |
bug_cat |
No rating |
2016-07-19 |
| The application uses basic authentication. |
Improper Authentication - Generic |
roshanpty |
No rating |
2016-07-18 |
| nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page) |
Memory Corruption - Generic |
ashish_pathak |
No rating |
2016-07-17 |
| stats.nextcloud.com: Content Injection |
Violation of Secure Design Principles |
kiraak-boy |
No rating |
2016-07-17 |
| REG: Content provider information leakage |
Command Injection - Generic |
zeroknife |
No rating |
2016-06-24 |
| WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available |
Information Disclosure |
vivek-p |
No rating |
2016-06-22 |
| No Rate Limiting on stats.nextcloud.com login |
Violation of Secure Design Principles |
japz |
No rating |
2016-06-22 |
| Deny access to download.nextcloud.com + folders |
Information Disclosure |
thearmfox |
No rating |
2016-06-21 |
| Email ID Disclosure. |
Information Disclosure |
bugdiscloseguys |
No rating |
2016-06-20 |
| No rate limiting on password protected shared file link |
Improper Authentication - Generic |
johnd |
No rating |
2016-06-20 |
| No permission set on Activities [Android App] |
Improper Authentication - Generic |
gaurang |
No rating |
2016-06-20 |
| Bruteforcing help.nextcloud.com |
Improper Authentication - Generic |
japz |
No rating |
2016-06-19 |
| Lost Password CSRF |
Cross-Site Request Forgery (CSRF) |
mefkan |
No rating |
2016-06-19 |
| help.nextcloud Email Address/Username enumeration |
Information Disclosure |
japz |
No rating |
2016-06-19 |
| Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe |
Information Disclosure |
strukt |
No rating |
2016-06-19 |
| Bruteforce attack is possible on newsletter.nextcloud.com |
Improper Authentication - Generic |
koolacac |
No rating |
2016-06-19 |
| Content Injection in subdomain |
Violation of Secure Design Principles |
testest |
No rating |
2016-06-19 |
| Content injection in subdomain |
Violation of Secure Design Principles |
testest |
No rating |
2016-06-19 |
| Business/Functional logic bypass: Remove admins from admin group. |
Privilege Escalation |
paglababa |
No rating |
2016-06-19 |
| Content Spoofing/Text Injection - docs.nextcloud.org |
Violation of Secure Design Principles |
ahsan |
No rating |
2016-06-19 |
| Content Injection 404 page |
Violation of Secure Design Principles |
testest |
No rating |
2016-06-19 |
| No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers |
Violation of Secure Design Principles |
aaron_costello |
No rating |
2016-06-19 |
| Content Spoofing |
Violation of Secure Design Principles |
ashish_pathak |
No rating |
2016-06-19 |
| https://newsletter.nextcloud.com Directory listening and Information Disclosure |
Information Disclosure |
mefkan |
No rating |
2016-06-18 |
| Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy) |
Cryptographic Issues - Generic |
1337_inj3c70r |
No rating |
2016-06-17 |
| Server side request forgery (SSRF) on nextcloud implementation. |
None supplied |
paglababa |
No rating |
2016-06-17 |
| Vulnerable Javascript library |
Information Disclosure |
paulochoupina |
No rating |
2016-06-17 |
| help.nextcloud.com: Session Management Issue |
None supplied |
ahsan |
No rating |
2016-06-17 |
| nextcloud.com: Directory listening for 'wp-includes' forders |
Information Disclosure |
zuh4n |
No rating |
2016-06-17 |
| nextcloud.com: Content Injection Custom 404 Error |
Violation of Secure Design Principles |
geekboy |
No rating |
2016-06-17 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles