CVE-2025-66556

LOW

Nextcloud talk <20.1.8-21.1.2 - Info Disclosure

Title source: llm

Description

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

References (4)

[Patch, Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pr9f-vqgg-m2jh

[Patch] https://github.com/nextcloud/spreed/commit/bd68e80d1dea98d84c1d621c2c681238cf041725

View Patch ZIP pw:eip

[Issue Tracking, Patch] https://github.com/nextcloud/spreed/pull/15532

[Issue Tracking, Vendor Advisory] https://hackerone.com/reports/3247386

Scores

CVSS v3 3.5

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-639

Status published

Affected Products (1)

nextcloud/talk < 20.1.8

Timeline

Published Dec 05, 2025

Tracked Since Feb 18, 2026