CVE-2025-59788

Published Dec 4, 2025

Last updated 21 days ago

CVSS medium 6.4

Overview

Description: Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
Source: cve@mitre.org
NVD status: Analyzed
Products: nextcloud_server

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.4
Impact score: 2.7
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

cve@mitre.org: CWE-749
nvd@nist.gov: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "8A3D94EC-A877-458D-9A33-5451FE97A785",
            "versionEndExcluding": "30.0.17",
            "versionStartIncluding": "30.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "2059C891-F256-482A-99BF-D912A1657419",
            "versionEndExcluding": "31.0.10",
            "versionStartIncluding": "31.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "A75D466C-B154-480A-9D4F-8E9454147156",
            "versionEndExcluding": "32.0.1",
            "versionStartIncluding": "32.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "4440D2E7-2FCB-4CC2-A57F-708AAB0CD22B",
            "versionEndExcluding": "22.2.10.33",
            "versionStartIncluding": "22.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "51922DA7-3112-422A-9F66-9CAA54E89D8F",
            "versionEndExcluding": "23.0.12.29",
            "versionStartIncluding": "23.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "6AC7C575-7348-45A1-9023-A6606541987B",
            "versionEndExcluding": "24.0.12.28",
            "versionStartIncluding": "24.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "000C64D7-C76D-4E69-9705-18132C615456",
            "versionEndExcluding": "25.0.13.23",
            "versionStartIncluding": "25.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "D9491A91-2A7C-4C84-89E9-219422D91350",
            "versionEndExcluding": "26.0.13.20",
            "versionStartIncluding": "26.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "CFD3A15F-58D7-4C3D-A49F-065F28ED6361",
            "versionEndExcluding": "27.1.11.20",
            "versionStartIncluding": "27.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "B55EF258-E98A-43A9-B73C-AE62D448421D",
            "versionEndExcluding": "28.0.14.11",
            "versionStartIncluding": "28.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "7710228F-2984-4F9A-8360-0054E7E78687",
            "versionEndExcluding": "29.0.16.8",
            "versionStartIncluding": "29.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "AE19F75F-6A78-4770-B7C6-338570FA7184",
            "versionEndExcluding": "30.0.17",
            "versionStartIncluding": "30.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "64C21E45-22B8-49B2-B630-30448D89A4E9",
            "versionEndExcluding": "31.0.10",
            "versionStartIncluding": "31.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "CFA5AD5D-1145-44D6-ABE3-64837C74975F",
            "versionEndExcluding": "32.0.1",
            "versionStartIncluding": "32.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References