Home > Vulnerability Database > CVE-2025-66550

Mend.io Vulnerability Database

CVE-2025-66550

Good to know:

Date: December 5, 2025

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

Severity Score

5.7

Related Resources (6)

Url: https://hackerone.com/reports/3112033

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv

Url: https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66550

Url: https://github.com/nextcloud/calendar/pull/6971

Url: https://www.mend.io/vulnerability-database/CVE-2025-66550

Severity Score

5.7

Weakness Type (CWE)

Improper Handling of Unexpected Data Type

CWE-241

Top Fix

Upgrade Version

Upgrade to version https://github.com/nextcloud/calendar.git - v4.7.17;https://github.com/nextcloud/calendar.git - v5.2.4

Learn More

CVSS v3.1

Base Score:	5.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66550

Good to know:

Date: December 5, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?