CVE-2025-66552

4.3 MEDIUM
Published: December 05, 2025 Modified: December 10, 2025
View on NVD

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ww9m-f8j4-jj9x
Source: security-advisories@github.com
Patch Vendor Advisory
https://github.com/nextcloud/server/commit/7cc005c43c72bc384848cf8cb851895827c412f6
Source: security-advisories@github.com
Patch
https://github.com/nextcloud/server/pull/50992
Source: security-advisories@github.com
Issue Tracking
https://hackerone.com/reports/2890071
Source: security-advisories@github.com
Issue Tracking Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.3 / 10.0
EPSS (Exploit Probability)
0.0%
7th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-778

Affected Vendors

nextcloud

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3