What is the CVSS score of CVE-2025-66557?

CVE-2025-66557 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Deck are affected by CVE-2025-66557?

Organizations using Nextcloud Deck should be aware of moderate risk from CVE-2025-66557, a improper access control vulnerability rated CVSS 5.4.. A patch is available.

How to fix or mitigate CVE-2025-66557?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Deck CVE-2025-66557

EUVD-2025-201465 MEDIUM

Improper Access Control (CWE-284)

2025-12-05 security-advisories@github.com

Authentication Bypass Deck Nextcloud

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 17:08 euvd

EUVD-2025-201465

Analysis Generated

Mar 15, 2026 - 17:08 vuln.today

Patch released

Mar 15, 2026 - 17:08 nvd

Patch available

CVE Published

Dec 05, 2025 - 18:15 nvd

MEDIUM 5.4

DescriptionNVD

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.

Analysis

Technical ContextAI

This vulnerability is classified as Improper Access Control (CWE-284).

RemediationAI

A vendor patch is available. Apply it as soon as possible and verify the fix.

CVE-2025-66557 vulnerability details – vuln.today

Back