Nextcloud

This hub aggregates every CVE we track for Nextcloud, a product in the cloud saas space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Nextcloud.

• CVE-2025-66512Nextcloud Server vulnerable to XSS in SVG images when opened outside of Nextcloud5.4Dec 5, 2025
• CVE-2025-59788Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 2...6.4Dec 4, 2025
• CVE-2023-49790App PIN code can be bypassed in Nextcloud Files iOS4.3Dec 22, 2023
• CVE-2023-28999Nextcloud: Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders6.9Apr 4, 2023
• CVE-2023-28646App lockout in nextcloud Android app can be bypassed via thirdparty apps4.4Mar 30, 2023
• CVE-2023-28647App pin of the iOS app can be bypassed in Nextcloud iOS4.4Mar 30, 2023
• CVE-2022-39210Access to internal files of the Nextcloud Android app3.2Sep 16, 2022
• CVE-2022-29160Sensitive files/data exist after deletion of user account in Nextcloud Android2.8May 20, 2022
• CVE-2022-24886Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client2.2Apr 27, 2022
• CVE-2022-24885Improper Authentication in Nextcloud Android Files2.0Apr 27, 2022
• CVE-2021-41166Permission bypass in Nextcloud Android App4.3Jan 26, 2022
• CVE-2021-43863SQL Injection in FileContentProvider (GHSL-2021-1007)7.5Jan 25, 2022
• CVE-2021-32728End-to-end encryption device setup did not verify public key6.5Aug 18, 2021
• CVE-2021-32727End-to-end encryption device setup did not verify public key5.7Jul 12, 2021
• CVE-2021-32694Malicious Android application can crash the Nextcloud Android Client4.1Jun 17, 2021