Home

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GitHub_M




LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-116: Improper Encoding or Escaping of Output

Product status

>= 1.15.0-beta.1, < 1.15.1
affected

>= 1.14.0-beta.1, < 1.14.4
affected

< 1.12.7
affected

References

github.com/...sories/security/advisories/GHSA-xjvq-xvr7-xpg6

github.com/nextcloud/deck/pull/6671

github.com/...ommit/afa95d3c507465b9d31af7c88c69b76711ef185a

hackerone.com/reports/2326618

cve.org (CVE-2025-66548)

nvd.nist.gov (CVE-2025-66548)