Platform
nextcloud
Component
Fixed in
5.2.1
CVE-2025-66514 describes a stored HTML injection vulnerability discovered in Nextcloud Mail, the mail application for the Nextcloud self-hosted productivity platform. This flaw allows an authenticated user to inject HTML into email subjects, potentially enabling cross-site scripting (XSS) attacks. The vulnerability affects versions 5.2.0-beta.1 up to, but not including, version 5.5.3. A fix is available in Nextcloud Mail 5.5.3.
An attacker exploiting this vulnerability could inject malicious HTML code into email subjects viewed by other users of Nextcloud Mail. While the Nextcloud server's content security policy (CSP) blocks JavaScript execution, the injected HTML could still be used for phishing attacks, defacement of the user interface, or to trigger other client-side exploits. The impact is limited to users who view the crafted email subjects within the Nextcloud Mail interface. The potential for widespread compromise is low, as the vulnerability requires authentication and targeted crafting of email subjects.
This vulnerability was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66514 is to upgrade Nextcloud Mail to version 5.5.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on email subject fields within the Nextcloud Mail application. While the CSP blocks JavaScript, review and ensure the CSP configuration is robust and up-to-date. Monitor Nextcloud logs for unusual HTML injection attempts. After upgrading, confirm the fix by attempting to inject HTML into an email subject and verifying that it is properly sanitized and does not execute any malicious code.
Update the Nextcloud Mail app to version 5.5.3 or higher. This version contains a fix for the HTML injection vulnerability. The update can be performed through the Nextcloud administration interface.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66514 is a stored HTML injection vulnerability in Nextcloud Mail affecting versions 5.2.0-beta.1 through 5.5.2, allowing authenticated users to inject HTML into email subjects.
You are affected if you are using Nextcloud Mail versions 5.2.0-beta.1 through 5.5.2. Upgrade to version 5.5.3 or later to resolve the issue.
Upgrade Nextcloud Mail to version 5.5.3 or later. Consider implementing stricter input validation on email subject fields as a temporary workaround.
There are currently no known active exploits or campaigns targeting CVE-2025-66514.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.