CVE-2025-66550

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
GitHub_MCNA
5.7 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
VendorProductVersion
nextcloudcalendar
4.0.0 ≤
𝑥
< 4.7.17
nextcloudcalendar
5.0.0 ≤
𝑥
< 5.2.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769
https://github.com/nextcloud/calendar/pull/6971
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv
https://hackerone.com/reports/3112033