Vulnerability Details CVE-2025-66547
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.2%
CVSS Severity
CVSS v3 Score 4.3
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2
- https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3d8a9
- https://github.com/nextcloud/server/issues/51247
- https://github.com/nextcloud/server/pull/51288
- https://hackerone.com/reports/3040887