CVE-2025-66514
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | to 5.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored HTML injection in the Nextcloud Mail app's message list that allows an authenticated user to inject HTML into email subjects. Although JavaScript execution is blocked by the content security policy, the injected HTML could still affect how email subjects are displayed.
How can this vulnerability impact me? :
The vulnerability could allow an authenticated user to inject HTML into email subjects, potentially leading to misleading or manipulated email displays. However, since JavaScript is blocked, the risk of more severe attacks like cross-site scripting is reduced. The impact is limited to integrity issues without confidentiality or availability impact.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Nextcloud Mail app to version 5.5.3 or later to fix the stored HTML injection vulnerability.