5.2.1
CVE-2025-66514 describes a stored HTML injection vulnerability discovered in Nextcloud Mail, the mail application for the Nextcloud self-hosted productivity platform. This flaw allows an authenticated user to inject HTML into email subjects, potentially enabling cross-site scripting (XSS) attacks. The vulnerability affects versions 5.2.0-beta.1 up to, but not including, version 5.5.3. A fix is available in Nextcloud Mail 5.5.3.
An attacker exploiting this vulnerability could inject malicious HTML code into email subjects viewed by other users of Nextcloud Mail. While the Nextcloud server's content security policy (CSP) blocks JavaScript execution, the injected HTML could still be used for phishing attacks, defacement of the user interface, or to trigger other client-side exploits. The impact is limited to users who view the crafted email subjects within the Nextcloud Mail interface. The potential for widespread compromise is low, as the vulnerability requires authentication and targeted crafting of email subjects.
This vulnerability was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Nextcloud Mail versions 5.2.0-beta.1 through 5.5.2 are at risk. This includes users who rely on Nextcloud Mail for internal communication and those who share email data with external parties. Shared hosting environments running Nextcloud Mail are particularly vulnerable, as a compromised user account could potentially impact other users on the same server.
• php / web: Examine Nextcloud Mail logs for suspicious HTML injection attempts in email subject fields. Look for patterns indicative of malicious code.
grep -i 'script|onload|onerror' /path/to/nextcloud/data/nextcloud/apps/mail/log/mail.log• php / web: Check email subject fields for unusual HTML tags or attributes.
# Example using curl to inspect a message subject (requires appropriate authentication)
curl -s -X GET 'https://your-nextcloud-instance/index.php/apps/mail/view/message/123' | grep -i '<script' disclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-66514 is to upgrade Nextcloud Mail to version 5.5.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on email subject fields within the Nextcloud Mail application. While the CSP blocks JavaScript, review and ensure the CSP configuration is robust and up-to-date. Monitor Nextcloud logs for unusual HTML injection attempts. After upgrading, confirm the fix by attempting to inject HTML into an email subject and verifying that it is properly sanitized and does not execute any malicious code.
Nextcloud Mail アプリケーションをバージョン 5.5.3 以降にアップデートしてください。このバージョンには、HTML 埋め込みの脆弱性に対する修正が含まれています。アップデートは Nextcloud の管理インターフェースから実行できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-66514 is a stored HTML injection vulnerability in Nextcloud Mail affecting versions 5.2.0-beta.1 through 5.5.2, allowing authenticated users to inject HTML into email subjects.
You are affected if you are using Nextcloud Mail versions 5.2.0-beta.1 through 5.5.2. Upgrade to version 5.5.3 or later to resolve the issue.
Upgrade Nextcloud Mail to version 5.5.3 or later. Consider implementing stricter input validation on email subject fields as a temporary workaround.
There are currently no known active exploits or campaigns targeting CVE-2025-66514.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。