Vulnerability in Nextcloud Security-advisories
CVE-2025-66552
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files an…
EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.
Affected products
- Nextcloud Security-advisories — versions >= 32.0.0beta1, < 32.0.1, < 31.0.9
Weakness classification (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ww9m-f8j4-jj9x (x_refsource_CONFIRM)
- https://github.com/nextcloud/server/pull/50992 (x_refsource_MISC)
- https://github.com/nextcloud/server/commit/7cc005c43c72bc384848cf8cb851895827c412f6 (x_refsource_MISC)
- https://hackerone.com/reports/2890071 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-66552?
- CVE-2025-66552 is a medium-severity vulnerability in Nextcloud Security-advisories, classified under CWE-778. CVSS score: 4.3/10. Published 2025-12-05.
- How severe is CVE-2025-66552?
- Medium severity. CVSS v3 base score is 4.3 out of 10.