5.2.1
CVE-2025-66514 describes a stored HTML injection vulnerability discovered in Nextcloud Mail, the mail application for the Nextcloud self-hosted productivity platform. This flaw allows an authenticated user to inject HTML into email subjects, potentially enabling cross-site scripting (XSS) attacks. The vulnerability affects versions 5.2.0-beta.1 up to, but not including, version 5.5.3. A fix is available in Nextcloud Mail 5.5.3.
An attacker exploiting this vulnerability could inject malicious HTML code into email subjects viewed by other users of Nextcloud Mail. While the Nextcloud server's content security policy (CSP) blocks JavaScript execution, the injected HTML could still be used for phishing attacks, defacement of the user interface, or to trigger other client-side exploits. The impact is limited to users who view the crafted email subjects within the Nextcloud Mail interface. The potential for widespread compromise is low, as the vulnerability requires authentication and targeted crafting of email subjects.
This vulnerability was publicly disclosed on 2025-12-05. There are currently no known public proof-of-concept exploits available. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Nextcloud Mail versions 5.2.0-beta.1 through 5.5.2 are at risk. This includes users who rely on Nextcloud Mail for internal communication and those who share email data with external parties. Shared hosting environments running Nextcloud Mail are particularly vulnerable, as a compromised user account could potentially impact other users on the same server.
• php / web: Examine Nextcloud Mail logs for suspicious HTML injection attempts in email subject fields. Look for patterns indicative of malicious code.
grep -i 'script|onload|onerror' /path/to/nextcloud/data/nextcloud/apps/mail/log/mail.log• php / web: Check email subject fields for unusual HTML tags or attributes.
# Example using curl to inspect a message subject (requires appropriate authentication)
curl -s -X GET 'https://your-nextcloud-instance/index.php/apps/mail/view/message/123' | grep -i '<script' disclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-66514 is to upgrade Nextcloud Mail to version 5.5.3 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on email subject fields within the Nextcloud Mail application. While the CSP blocks JavaScript, review and ensure the CSP configuration is robust and up-to-date. Monitor Nextcloud logs for unusual HTML injection attempts. After upgrading, confirm the fix by attempting to inject HTML into an email subject and verifying that it is properly sanitized and does not execute any malicious code.
将 Nextcloud Mail 应用程序升级到 5.5.3 或更高版本。此版本包含 HTML 注入漏洞的修复程序。可以通过 Nextcloud 管理界面进行升级。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-66514 is a stored HTML injection vulnerability in Nextcloud Mail affecting versions 5.2.0-beta.1 through 5.5.2, allowing authenticated users to inject HTML into email subjects.
You are affected if you are using Nextcloud Mail versions 5.2.0-beta.1 through 5.5.2. Upgrade to version 5.5.3 or later to resolve the issue.
Upgrade Nextcloud Mail to version 5.5.3 or later. Consider implementing stricter input validation on email subject fields as a temporary workaround.
There are currently no known active exploits or campaigns targeting CVE-2025-66514.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。