CVE-2025-66545

LOW

Nextcloud <14.0.11, <15.3.12, <16.0.15, <17.0.14, <18.1.8, <19.1.8,...

Title source: llm

Description

Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.

References (4)

[Patch, Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m

[Issue Tracking] https://github.com/nextcloud/groupfolders/issues/4041

[Issue Tracking, Patch] https://github.com/nextcloud/groupfolders/pull/4076

[Patch] https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58

View Patch ZIP pw:eip

Scores

CVSS v3 3.5

EPSS 0.0003

EPSS Percentile 8.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-707

Status published

Products (1)

nextcloud/group_folders < 14.0.11

Published Dec 05, 2025

Tracked Since Feb 18, 2026