Vulnerability DatabaseCVE-2025-66547
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-66547
December 05, 2025
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
Affected Packages
https://github.com/nextcloud/server.git (GITHUB):
Affected version(s) >=v1.0.0beta1 <v31.0.1
Fix Suggestion:
Update to version v31.0.1
Related Resources (5)
https://github.com/nextcloud/server/pull/51288
https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3d8a9
https://hackerone.com/reports/3040887
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2
https://github.com/nextcloud/server/issues/51247
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Authorization Bypass Through User-Controlled Key
CWE-639
EPSS
Base Score:
0.02