What is the CVSS score of CVE-2025-66208?

CVE-2025-66208 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of PHP are affected by CVE-2025-66208?

Collabora Online users running versions before 25.04.702 face critical remote code execution risk through the built-in CODE Server proxy, potentially allowing attackers to execute arbitrary OS…. A patch is available.

How to fix or mitigate CVE-2025-66208?

Within 24 hours: Verify which Nextcloud instances run richdocumentscode versions prior to 25.04.702 and assess exposure. Within 7 days: Apply vendor patch 25.04.702 or later across all affected environments; test in staging first. Within 30 days: Conduct security audit of Nextcloud instances for unauthorized access logs and verify patch deployment completion across the organization.

PHP CVE-2025-66208

EUVD-2025-201097 CRITICAL

OS Command Injection (CWE-78)

2025-12-03 security-advisories@github.com

PHP Command Injection Online Nextcloud

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-201097

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

Patch released

Mar 15, 2026 - 16:14 nvd

Patch available

CVE Published

Dec 03, 2025 - 19:15 nvd

CRITICAL 9.8

DescriptionNVD

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.

Analysis

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells. This vulnerability is classified as OS Command Injection (CWE-78).

RemediationAI

A vendor patch is available — apply it immediately. Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

CVE-2025-66208 vulnerability details – vuln.today

Back

PHP CVE-2025-66208

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code