Vulnerability Details CVE-2025-66547
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 14.5%
CVSS Severity
CVSS v3 Score 4.3
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2
- https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3d8a9
- https://github.com/nextcloud/server/issues/51247
- https://github.com/nextcloud/server/pull/51288
- https://hackerone.com/reports/3040887
Products affected by CVE-2025-66547
-
cpe:2.3:a:nextcloud:nextcloud_server:31.0.0