[22:53:29]
<Yolateng0> Here is a draft security bulletin / CVE-style advisory summarizing the latest vulnerabilities affecting Nextcloud (as deployed via YunoHost).
Nextcloud / YunoHost —
Subject: Multiple security vulnerabilities in Nextcloud — update strongly recommended
Affected Versions
Nextcloud Server versions prior to 31.0.10 / 32.0.1 are affected by some of the issues.
Nextcloud Server versions prior to 31.0.12 / 32.0.3 are affected by SVG sanitization bug.
Group-folder quota bypass affects Nextcloud Server versions prior to 30.0.2, 29.0.9, 28.0.1 (and related Groupfolders app versions).
(If you use YunoHost’s packaged version of Nextcloud — verify the installed version against the above thresholds.)
Vulnerabilities Summary
CVE / Issue Type of Risk Description / Impact
CVE-2025-66510 Data leakage / unauthorized access Authenticated users could retrieve personal data (emails, names, identifiers) of other users — even those not in their contacts.
CVE-2025-66512 Content-security bypass / XSS-style risk Insufficient sanitization of uploaded/viewed SVG images allows a malicious user to bypass content security policy protections.
CVE-2025-47793 Quota bypass / resource exhaustion / abuse In multi-user group folder setups, users could upload attachments to bypass folder quota limits — enabling overuse of storage beyond intended quotas.
Additional vulnerabilities (e.g. SSRF, improper share-recipient endpoint) Confidentiality / integrity / server integrity risks Other issues documented include insecure share-recipient verification endpoint (SSRF risk) in versions prior to 28.0.13, 29.0.10, 30.0.3.
Overall risk: Data confidentiality and integrity, content security policies, and storage quota enforcement are potentially compromised. Administrative disclosure from CERT-FR lists “data confidentiality breach, data integrity compromise, remote code-injection (XSS)” among the possible impacts.
Recommended Mitigations / Actions
Upgrade Nextcloud to a patched version — ideally to at least 31.0.10, or better 31.0.12 / 32.0.3 (or latest stable) depending on your branch.
For instances where upgrade is delayed: limit or disable SVG uploads or disable public/untrusted uploads; restrict who can upload or share files.
Audit your shared folders / group-folder quota settings; verify that users cannot circumvent quotas by attaching data to text files or using quota-bypassing methods.
After upgrade, clear caches, and consider forcing logout of all users to invalidate old sessions (especially if you were affected by session- or authentication-related vulnerabilities).
Review access logs and sharing settings for abnormal account-discovery or data-exposure attempts (in light of data-leak vulnerabilities).
Notes Specific to YunoHost Deployments
Some users report difficulties when upgrading Nextcloud via YunoHost (e.g. failed upgrade scripts, “Internal Server Error” in web UI) after version bumps.
When performing the upgrade on YunoHost, be sure to:
Put Nextcloud into maintenance mode.
Use the YunoHost CLI (yunohost app upgrade) rather than the web updater, when possible.
After upgrade, verify that all services (web, PHP-FPM, cron jobs) are restarted properly.
If you use additional apps (e.g. Groupfolders, third-party apps), check their compatibility with the new Nextcloud version.
[22:53:58]
<Yolateng0> Here is a draft security bulletin / CVE-style advisory summarizing the latest vulnerabilities affecting Nextcloud (as deployed via YunoHost).
Nextcloud / YunoHost —
Subject: Multiple security vulnerabilities in Nextcloud — update strongly recommended
Affected Versions
Nextcloud Server versions prior to 31.0.10 / 32.0.1 are affected by some of the issues.
Nextcloud Server versions prior to 31.0.12 / 32.0.3 are affected by SVG sanitization bug.
Group-folder quota bypass affects Nextcloud Server versions prior to 30.0.2, 29.0.9, 28.0.1 (and related Groupfolders app versions).
(If you use YunoHost’s packaged version of Nextcloud — verify the installed version against the above thresholds.)
Vulnerabilities Summary
CVE / Issue Type of Risk Description / Impact
CVE-2025-66510 Data leakage / unauthorized access Authenticated users could retrieve personal data (emails, names, identifiers) of other users — even those not in their contacts.
CVE-2025-66512 Content-security bypass / XSS-style risk Insufficient sanitization of uploaded/viewed SVG images allows a malicious user to bypass content security policy protections.
CVE-2025-47793 Quota bypass / resource exhaustion / abuse In multi-user group folder setups, users could upload attachments to bypass folder quota limits — enabling overuse of storage beyond intended quotas.
Additional vulnerabilities (e.g. SSRF, improper share-recipient endpoint) Confidentiality / integrity / server integrity risks Other issues documented include insecure share-recipient verification endpoint (SSRF risk) in versions prior to 28.0.13, 29.0.10, 30.0.3.
Overall risk: Data confidentiality and integrity, content security policies, and storage quota enforcement are potentially compromised. Administrative disclosure from CERT-FR lists “data confidentiality breach, data integrity compromise, remote code-injection (XSS)” among the possible impacts.
Recommended Mitigations / Actions
Upgrade Nextcloud to a patched version — ideally to at least 31.0.10, or better 31.0.12 / 32.0.3 (or latest stable) depending on your branch.
For instances where upgrade is delayed: limit or disable SVG uploads or disable public/untrusted uploads; restrict who can upload or share files.
Audit your shared folders / group-folder quota settings; verify that users cannot circumvent quotas by attaching data to text files or using quota-bypassing methods.
After upgrade, clear caches, and consider forcing logout of all users to invalidate old sessions (especially if you were affected by session- or authentication-related vulnerabilities).
Review access logs and sharing settings for abnormal account-discovery or data-exposure attempts (in light of data-leak vulnerabilities).
Notes Specific to YunoHost Deployments
Some users report difficulties when upgrading Nextcloud via YunoHost (e.g. failed upgrade scripts, “Internal Server Error” in web UI) after version bumps.
When performing the upgrade on YunoHost, be sure to:
Put Nextcloud into maintenance mode.
Use the YunoHost CLI (yunohost app upgrade) rather than the web updater, when possible.
After upgrade, verify that all services (web, PHP-FPM, cron jobs) are restarted properly.
If you use additional apps (e.g. Groupfolders, third-party apps), check their compatibility with the new Nextcloud version. Sources CVE && CERT-FR
[22:57:26]
<Yolateng0> Subject: Multiple security vulnerabilities in Nextcloud — update strongly recommended
Affected Versions
Nextcloud Server versions prior to 31.0.10 / 32.0.1 are affected by some of the issues.
Nextcloud Server versions prior to 31.0.12 / 32.0.3 are affected by SVG sanitization bug.
Group-folder quota bypass affects Nextcloud Server versions prior to 30.0.2, 29.0.9, 28.0.1 (and related Groupfolders app versions).
(If you use YunoHost’s packaged version of Nextcloud — verify the installed version against the above thresholds.)
Vulnerabilities Summary
CVE / Issue Type of Risk Description / Impact
CVE-2025-66510 Data leakage / unauthorized access Authenticated users could retrieve personal data (emails, names, identifiers) of other users — even those not in their contacts.
CVE-2025-66512 Content-security bypass / XSS-style risk Insufficient sanitization of uploaded/viewed SVG images allows a malicious user to bypass content security policy protections.
CVE-2025-47793 Quota bypass / resource exhaustion / abuse In multi-user group folder setups, users could upload attachments to bypass folder quota limits — enabling overuse of storage beyond intended quotas.
Additional vulnerabilities (e.g. SSRF, improper share-recipient endpoint) Confidentiality / integrity / server integrity risks Other issues documented include insecure share-recipient verification endpoint (SSRF risk) in versions prior to 28.0.13, 29.0.10, 30.0.3.
Overall risk: Data confidentiality and integrity, content security policies, and storage quota enforcement are potentially compromised. Administrative disclosure from CERT-FR lists “data confidentiality breach, data integrity compromise, remote code-injection (XSS)” among the possible impacts.
Recommended Mitigations / Actions
Upgrade Nextcloud to a patched version — ideally to at least 31.0.10, or better 31.0.12 / 32.0.3 (or latest stable) depending on your branch.
For instances where upgrade is delayed: limit or disable SVG uploads or disable public/untrusted uploads; restrict who can upload or share files.
Audit your shared folders / group-folder quota settings; verify that users cannot circumvent quotas by attaching data to text files or using quota-bypassing methods.
After upgrade, clear caches, and consider forcing logout of all users to invalidate old sessions (especially if you were affected by session- or authentication-related vulnerabilities).
Review access logs and sharing settings for abnormal account-discovery or data-exposure attempts (in light of data-leak vulnerabilities).
Notes Specific to YunoHost Deployments
Some users report difficulties when upgrading Nextcloud via YunoHost (e.g. failed upgrade scripts, “Internal Server Error” in web UI) after version bumps.
When performing the upgrade on YunoHost, be sure to:
Put Nextcloud into maintenance mode.
Use the YunoHost CLI (yunohost app upgrade) rather than the web updater, when possible.
After upgrade, verify that all services (web, PHP-FPM, cron jobs) are restarted properly.
If you use additional apps (e.g. Groupfolders, third-party apps), check their compatibility with the new Nextcloud version. Sources CVE && CERT-FR