Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qcw2-p26m-9gc5
Issue Tracking x_refsource_misc
https://github.com/nextcloud/viewer/pull/3023
Patch x_refsource_misc
https://github.com/nextcloud/viewer/commit/5044a27d61bc40c0f134298d36af91f865335b63
Issue Tracking, Vendor Advisory x_refsource_misc
https://hackerone.com/reports/3357808
Scores
CVSS v3
5.4
EPSS
0.0023
EPSS Percentile
13.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
CWE-79
Status
published
Products (1)
nextcloud/nextcloud_server
31.0.0 - 31.0.12 (2 CPE variants)
Published
Dec 05, 2025
Tracked Since
Feb 18, 2026