CVE-2025-66548
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | deck | to 1.12.7 (exc) |
| nextcloud | deck | From 1.14.0 (inc) to 1.14.4 (exc) |
| nextcloud | deck | From 1.15.0 (inc) to 1.15.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Deck allows an attacker to spoof file extensions by using Right-To-Left Override (RTLO) characters. This tricks users into downloading files that appear to have a different extension than they actually do, potentially misleading them about the file type.
How can this vulnerability impact me? :
The impact of this vulnerability is that users may be tricked into downloading and opening files with misleading extensions, which could lead to executing malicious files or exposing the system to security risks. However, the CVSS score indicates a low severity with limited impact on confidentiality and no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
Update Nextcloud Deck to version 1.12.7, 1.14.4, or 1.15.1 or later, as these versions contain the fix for the RTLO character file extension spoofing vulnerability.