CVE-2025-66514 | THREATINT

Description

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

PUBLISHED Reserved 2025-12-03 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GitHub_M

LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 5.2.0-beta.1, < 5.5.3

affected

References

github.com/...sories/security/advisories/GHSA-v394-8gpc-6fv5

github.com/nextcloud/mail/pull/11740

github.com/...ommit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09

hackerone.com/reports/3357036

cve.org (CVE-2025-66514)

nvd.nist.gov (CVE-2025-66514)