What is the CVSS score of CVE-2025-66554?

CVE-2025-66554 has a CVSS 3.1 base score of 3.5 (Low). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Nextcloud are affected by CVE-2025-66554?

CVE-2025-66554 is a low-severity vulnerability involving cross-site scripting (CVSS 3.5).. A patch is available.

Is there a public PoC exploit available for CVE-2025-66554?

Yes, a public proof-of-concept exploit is available for CVE-2025-66554. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-66554?

During next maintenance window: Apply vendor patches when convenient. Verify cross-site scripting controls are in place.

Nextcloud CVE-2025-66554

EUVD-2025-201461 LOW

Cross-site Scripting (XSS) (CWE-79)

2025-12-05 security-advisories@github.com

XSS Nextcloud

3.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.5 LOW

AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201461

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

Patch released

Mar 15, 2026 - 17:08 nvd

Patch available

PoC Detected

Dec 09, 2025 - 17:01 vuln.today

Public exploit code

CVE Published

Dec 05, 2025 - 18:15 nvd

LOW 3.5

DescriptionGitHub Advisory

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

Analysis

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2025-66554 vulnerability details – vuln.today

Back