Description
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2
Issue Tracking, Patch x_refsource_misc
https://github.com/nextcloud/contacts/pull/4619
Patch x_refsource_misc
https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1
Permissions Required, Vendor Advisory x_refsource_misc
https://hackerone.com/reports/3293290
Scores
CVSS v3
3.5
EPSS
0.0001
EPSS Percentile
1.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
nextcloud/contacts
5.0.0 - 5.5.4
Published
Dec 05, 2025
Tracked Since
Feb 18, 2026