LOWCVE-2025-66554CVSS 3.5

CVE-2025-66554: XSS in Nextcloud Contacts App

Q: What is CVE-2025-66554 — XSS in Nextcloud Contacts App?

CVE-2025-66554 is a cross-site scripting (XSS) vulnerability in the Nextcloud Contacts App that allows attackers to inject CSS code via organization/title fields.

Q: Am I affected by CVE-2025-66554 in Nextcloud Contacts App?

You are affected if you are using Nextcloud Contacts App versions ≤ 7.0.0-alpha.1 and < 7.2.5.

Q: How do I fix CVE-2025-66554 in Nextcloud Contacts App?

Upgrade the Nextcloud Contacts App to version 5.5.4, 6.0.6, or 7.2.5.

Q: Is CVE-2025-66554 being actively exploited?

There are no confirmed reports of active exploitation at this time, but the vulnerability is publicly known.

Q: Where can I find the official Nextcloud advisory for CVE-2025-66554?

Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)

Platform

nextcloud

Component

contacts

Fixed in

7.0.1

6.0.1

5.5.5

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-66554 describes a cross-site scripting (XSS) vulnerability discovered in the Nextcloud Contacts App. This flaw allows a malicious user to inject CSS code by manipulating the organization and title fields within the application, potentially leading to information disclosure or other client-side impacts. The vulnerability affects versions of the Contacts App prior to 5.5.4, 6.0.6, and 7.2.5, and a fix has been released.

Impact and Attack Scenarios

An attacker exploiting this XSS vulnerability could inject arbitrary CSS into a user's Nextcloud Contacts App interface. While JavaScript execution is blocked by Nextcloud's content security policy, malicious CSS can still be used to alter the appearance of the page, potentially stealing sensitive information displayed on the screen through techniques like CSS injection to overlay forms or manipulate element visibility. The impact is primarily client-side, but could be leveraged for phishing or to subtly compromise user trust. The blast radius is limited to users interacting with the Contacts App within the affected Nextcloud instance.

Exploitation Context

This vulnerability was publicly disclosed on 2025-12-05. No public proof-of-concept (POC) code has been released at the time of writing. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentcontacts

Vendornextcloud

Affected rangeFixed in

>= 7.0.0-alpha.1, < 7.2.5 – >= 7.0.0-alpha.1, < 7.2.57.0.1

>= 6.0.0-alpha1, < 6.0.6 – >= 6.0.0-alpha1, < 6.0.66.0.1

< 5.5.4 – < 5.5.45.5.5

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2025-12-04
Published2025-12-05
Modified2025-12-08
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-66554 is to upgrade the Nextcloud Contacts App to version 5.5.4, 6.0.6, or 7.2.5. If immediate upgrading is not possible, consider implementing strict input validation on the organization and title fields within the Contacts App to prevent the injection of potentially malicious CSS. While a WAF might offer some protection, it is not a reliable solution for this type of XSS vulnerability. After upgrading, verify the fix by attempting to inject CSS code into the organization and title fields and confirming that it is properly sanitized.

How to fix

Update the Nextcloud Contacts app to version 5.5.4, 6.0.6, or 7.2.5, or a later version. This will resolve the stored XSS vulnerability in the organisation and title fields.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-66554 — XSS in Nextcloud Contacts App?

CVE-2025-66554 is a cross-site scripting (XSS) vulnerability in the Nextcloud Contacts App that allows attackers to inject CSS code via organization/title fields.

Am I affected by CVE-2025-66554 in Nextcloud Contacts App?

You are affected if you are using Nextcloud Contacts App versions ≤ 7.0.0-alpha.1 and < 7.2.5.

How do I fix CVE-2025-66554 in Nextcloud Contacts App?

Upgrade the Nextcloud Contacts App to version 5.5.4, 6.0.6, or 7.2.5.

Is CVE-2025-66554 being actively exploited?

There are no confirmed reports of active exploitation at this time, but the vulnerability is publicly known.

Where can I find the official Nextcloud advisory for CVE-2025-66554?

Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.