CVE-2025-59788
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2026-03-25

Assigner: MITRE

Description
Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2026-03-25
Generated
2026-06-16
AI Q&A
2025-12-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59788
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.10 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.1 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17 (exc)
nextcloud nextcloud_server From 28.0.0 (inc) to 28.0.14.11 (exc)
nextcloud nextcloud_server From 29.0.0 (inc) to 29.0.16.8 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.10 (exc)
nextcloud nextcloud_server From 22.0.0 (inc) to 22.2.10.33 (exc)
nextcloud nextcloud_server From 23.0.0 (inc) to 23.0.12.29 (exc)
nextcloud nextcloud_server From 24.0.0 (inc) to 24.0.12.28 (exc)
nextcloud nextcloud_server From 25.0.0 (inc) to 25.0.13.23 (exc)
nextcloud nextcloud_server From 26.0.0 (inc) to 26.0.13.20 (exc)
nextcloud nextcloud_server From 27.0.0 (inc) to 27.1.11.20 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.17 (exc)
nextcloud nextcloud_server From 32.0.0 (inc) to 32.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a cross-site scripting (XSS) issue in Nextcloud versions before certain fixed releases. It occurs in a reachable example directory related to the files_pdfviewer feature, where attackers can execute arbitrary JavaScript in a user's browser by using a specially crafted PDF file loaded into viewer.html. The root cause is that Nextcloud exposes executable example code on a same-origin basis, allowing this attack.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in the context of a user's browser, potentially leading to unauthorized actions such as stealing session tokens, manipulating user data, or performing actions on behalf of the user without their consent. This can compromise user accounts and data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59788. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart