CVE-2025-59716

Published Nov 5, 2025

Last updated 3 months ago

CVSS medium 5.3

Overview

Description
ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user.
Source
cve@mitre.org
NVD status
Analyzed
Products
guests

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-200

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-59716 - medium 🚨 ownCloud Guests - User Enumeration > ownCloud Guests before 0.12.5 contains an unauthenticated user enumeration vulnerabil... 👾 https://t.co/Xisi3mEwFQ @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    26 Mar 2026

    171 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-59716 (ownCloud Guests Zero-Click Identity/Email Enumeration from an auth/state validation logic flaw I found via source-code review. Credit: Ali Firas (thesmartshadow) | Refs: NVD · Tenable · https://t.co/VIDaHL3gOm · Ubuntu · Red Hat · IBM

    @Alishmery2

    30 Dec 2025

    60 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-59716 Unauthenticated User Enumeration Vulnerability in ownCloud Guests before 0.12.5 https://t.co/N0tpHA6KQ3

    @VulmonFeeds

    5 Nov 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-59716 ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of th… https://t.co/uc3GqHLjWh

    @CVEnew

    5 Nov 2025

    335 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.CVE-2024-22402
  2. Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability.CVE-2024-22401

References

Sources include official advisories and independent security research.