CVE-2025-66510

4.5 MEDIUM
Published: December 05, 2025 Modified: December 10, 2025
View on NVD

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59
Source: security-advisories@github.com
Patch Vendor Advisory
https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57
Source: security-advisories@github.com
Patch
https://github.com/nextcloud/server/pull/55657
Source: security-advisories@github.com
Issue Tracking

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.5 / 10.0
EPSS (Exploit Probability)
0.0%
7th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-359

Affected Vendors

nextcloud

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3