CVE-2025-66550

Summary

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

Affected Software

VendorProductVersion RangeStatus
nextcloudsecurity-advisories>= 5.0.0-rc.1, < 5.2.4affected
nextcloudsecurity-advisories< 4.7.17affected

Weaknesses

  • CWE-241: CWE-241: Improper Handling of Unexpected Data Type

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References