CVE-2025-66514

EPSS 0.03%
Veröffentlicht 05.12.2025 17:32:25
Zuletzt bearbeitet 09.12.2025 19:23:19
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Mail SwPlatformnextcloud Version < 5.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.079

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5

Patch

Vendor Advisory

https://github.com/nextcloud/mail/pull/11740

Patch

Issue Tracking

https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09

Patch

https://hackerone.com/reports/3357036

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2025-66514

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66514

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66514

EUVD