CVE-2025-66557

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
GitHub_MCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
VendorProductVersion
nextclouddeck
1.14.0 ≤
𝑥
< 1.14.6
nextclouddeck
1.15.0 ≤
𝑥
< 1.15.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae
https://github.com/nextcloud/deck/pull/7131
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv
https://hackerone.com/reports/3247499