CVE-2025-66557
MEDIUMNextcloud Deck <1.14.6-1.15.2 - Privilege Escalation
Title source: llmDescription
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv
Issue Tracking, Patch x_refsource_misc
https://github.com/nextcloud/deck/pull/7131
Patch x_refsource_misc
https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae
Issue Tracking, Vendor Advisory x_refsource_misc
https://hackerone.com/reports/3247499
Scores
CVSS v3
5.4
EPSS
0.0002
EPSS Percentile
5.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (1)
nextcloud/deck
1.14.0 - 1.14.6
Published
Dec 05, 2025
Tracked Since
Feb 18, 2026