CVE-2025-66550
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66550
EUVD
EUVD-2025-201443
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nextcloud calendar From 4.0.0 (inc) to 4.7.17 (exc)
nextcloud calendar From 5.0.0 (inc) to 5.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-241 The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Calendar allows a malicious user to create a calendar event with a specially crafted attachment that links to a file on the same Nextcloud server. When another user views this event, the linked file is downloaded automatically without the user's confirmation. This behavior occurs in versions prior to 4.7.17 and 5.2.4 and has been fixed in those versions.

Impact Analysis

The vulnerability can lead to unauthorized downloading of files from the Nextcloud server without user consent, potentially exposing sensitive or private data. This could result in information leakage or unauthorized access to internal files, impacting data confidentiality and user trust.

Mitigation Strategies

Update Nextcloud Calendar to version 4.7.17 or 5.2.4 or later, as these versions contain the fix for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart