CVE-2025-66510

low-risk

Published 2025-12-05

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.5/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Nextcloud Server

Affected Vendors

Nextcloud

References (3)

Patch https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-c...

Patch https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831...

Issue Tracking https://github.com/nextcloud/server/pull/55657

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low