CVE-2025-66548

MEDIUM EPSS 2.6%
Published Dec 5, 20257mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Dec 5, 2025 7mo ago
Last Modified Jun 17, 2026 2w ago

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-116

Affected Products 3

VendorProductVersionRange
nextclouddeck* <1.12.7
nextclouddeck*≥1.14.0  –  <1.14.4
nextclouddeck*≥1.15.0  –  <1.15.1

References 4

  • github.com https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a
    Patch
  • github.com https://github.com/nextcloud/deck/pull/6671
    Issue Tracking
  • github.com https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6
    PatchVendor Advisory
  • hackerone.com https://hackerone.com/reports/2326618
    Permissions RequiredVendor Advisory

Remediation

  • github.com https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a
    Patch
  • github.com https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6
    PatchVendor Advisory