Plateforme
nextcloud
Composant
Corrigé dans
5.2.1
CVE-2025-66514 describes a stored HTML injection vulnerability discovered in Nextcloud Mail, the mail application for the Nextcloud self-hosted productivity platform. This flaw allows an authenticated user to inject HTML into email subjects, potentially enabling cross-site scripting (XSS) attacks. The vulnerability affects versions 5.2.0-beta.1 up to, but not including, version 5.5.3. A fix is available in Nextcloud Mail 5.5.3.
An attacker exploiting this vulnerability could inject malicious HTML code into email subjects viewed by other users of Nextcloud Mail. While the Nextcloud server's content security policy (CSP) blocks JavaScript execution, the injected HTML could still be used for phishing attacks, defacement of the user interface, or to trigger other client-side exploits. The impact is limited to users who view the crafted email subjects within the Nextcloud Mail interface. The potential for widespread compromise is low, as the vulnerability requires authentication and targeted crafting of email subjects.
This vulnerability was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Nextcloud Mail versions 5.2.0-beta.1 through 5.5.2 are at risk. This includes users who rely on Nextcloud Mail for internal communication and those who share email data with external parties. Shared hosting environments running Nextcloud Mail are particularly vulnerable, as a compromised user account could potentially impact other users on the same server.
• php / web: Examine Nextcloud Mail logs for suspicious HTML injection attempts in email subject fields. Look for patterns indicative of malicious code.
grep -i 'script|onload|onerror' /path/to/nextcloud/data/nextcloud/apps/mail/log/mail.log• php / web: Check email subject fields for unusual HTML tags or attributes.
# Example using curl to inspect a message subject (requires appropriate authentication)
curl -s -X GET 'https://your-nextcloud-instance/index.php/apps/mail/view/message/123' | grep -i '<script' disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-66514 is to upgrade Nextcloud Mail to version 5.5.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on email subject fields within the Nextcloud Mail application. While the CSP blocks JavaScript, review and ensure the CSP configuration is robust and up-to-date. Monitor Nextcloud logs for unusual HTML injection attempts. After upgrading, confirm the fix by attempting to inject HTML into an email subject and verifying that it is properly sanitized and does not execute any malicious code.
Mettez à jour l'application Nextcloud Mail à la version 5.5.3 ou supérieure. Cette version contient une correction pour la vulnérabilité d'injection HTML. La mise à jour peut être effectuée via l'interface d'administration de Nextcloud.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-66514 is a stored HTML injection vulnerability in Nextcloud Mail affecting versions 5.2.0-beta.1 through 5.5.2, allowing authenticated users to inject HTML into email subjects.
You are affected if you are using Nextcloud Mail versions 5.2.0-beta.1 through 5.5.2. Upgrade to version 5.5.3 or later to resolve the issue.
Upgrade Nextcloud Mail to version 5.5.3 or later. Consider implementing stricter input validation on email subject fields as a temporary workaround.
There are currently no known active exploits or campaigns targeting CVE-2025-66514.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.