CVE-2025-59788
MEDIUM EPSS 15.7%
Published Dec 4, 20256mo ago · Modified Jun 17, 20261w ago
5.4 CVSS 3.1
Published Dec 4, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago
Description
Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
15.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 2
CWE-749
CWE-79 Cross-site Scripting Injection
Affected Products 14
| Vendor | Product | Version | Range |
|---|---|---|---|
| nextcloud | nextcloud_server | * | ≥30.0.0 – <30.0.17 |
| nextcloud | nextcloud_server | * | ≥31.0.0 – <31.0.10 |
| nextcloud | nextcloud_server | * | ≥32.0.0 – <32.0.1 |
| nextcloud | nextcloud_server | * | ≥22.0.0 – <22.2.10.33 |
| nextcloud | nextcloud_server | * | ≥23.0.0 – <23.0.12.29 |
| nextcloud | nextcloud_server | * | ≥24.0.0 – <24.0.12.28 |
| nextcloud | nextcloud_server | * | ≥25.0.0 – <25.0.13.23 |
| nextcloud | nextcloud_server | * | ≥26.0.0 – <26.0.13.20 |
| nextcloud | nextcloud_server | * | ≥27.0.0 – <27.1.11.20 |
| nextcloud | nextcloud_server | * | ≥28.0.0 – <28.0.14.11 |
| nextcloud | nextcloud_server | * | ≥29.0.0 – <29.0.16.8 |
| nextcloud | nextcloud_server | * | ≥30.0.0 – <30.0.17 |
| nextcloud | nextcloud_server | * | ≥31.0.0 – <31.0.10 |
| nextcloud | nextcloud_server | * | ≥32.0.0 – <32.0.1 |
References 3
- github.com https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24wp-p865-7j4r
- nextcloud.com https://nextcloud.com
- redteam-pentesting.de https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.