CVE-2025-66548

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a	Patch
https://github.com/nextcloud/deck/pull/6671	Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6	Patch Vendor Advisory
https://hackerone.com/reports/2326618	Permissions Required Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:deck::::::::
	cpe:2.3:a:nextcloud:deck::::::::
	cpe:2.3:a:nextcloud:deck::::::::

History

09 Dec 2025, 19:01

Type	Values Removed	Values Added
First Time		Nextcloud deck Nextcloud
References	~~() https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a -~~	() https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a - Patch
References	~~() https://github.com/nextcloud/deck/pull/6671 -~~	() https://github.com/nextcloud/deck/pull/6671 - Issue Tracking
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6 -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6 - Patch, Vendor Advisory
References	~~() https://hackerone.com/reports/2326618 -~~	() https://hackerone.com/reports/2326618 - Permissions Required, Vendor Advisory
CPE		cpe:2.3:a:nextcloud:deck::::::::

05 Dec 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-05 18:15

Updated : 2025-12-09 19:01

NVD link : CVE-2025-66548

Mitre link : CVE-2025-66548

CVE.ORG link : CVE-2025-66548

JSON object : View

Products Affected

nextcloud

deck

CWE

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2025-66548", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-12-05T18:15:57.967", "references": [{"url": "https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/deck/pull/6671", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/2326618", "tags": ["Permissions Required", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1."}], "lastModified": "2025-12-09T19:01:55.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CB27832-7EB0-4F3C-9D22-26F111728249", "versionEndExcluding": "1.12.7"}, {"criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F630A529-C2EA-4308-AB37-D0A7424D4B46", "versionEndExcluding": "1.14.4", "versionStartIncluding": "1.14.0"}, {"criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B268E3B-B298-4A04-94E5-745CE0AD33C5", "versionEndExcluding": "1.15.1", "versionStartIncluding": "1.15.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}