CVE-2025-66550
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-66550, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-05

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-05
Last Modified
2025-12-10
Generated
2026-07-06
AI Q&A
2025-12-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nextcloud calendar From 4.0.0 (inc) to 4.7.17 (exc)
nextcloud calendar From 5.0.0 (inc) to 5.2.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-241 The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Calendar allows a malicious user to create a calendar event with a specially crafted attachment that links to a file on the same Nextcloud server. When another user views this event, the linked file is downloaded automatically without the user's confirmation. This behavior occurs in versions prior to 4.7.17 and 5.2.4 and has been fixed in those versions.

Impact Analysis

The vulnerability can lead to unauthorized downloading of files from the Nextcloud server without user consent, potentially exposing sensitive or private data. This could result in information leakage or unauthorized access to internal files, impacting data confidentiality and user trust.

Mitigation Strategies

Update Nextcloud Calendar to version 4.7.17 or 5.2.4 or later, as these versions contain the fix for this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart