QwikSec

Security Database

CVE

CWE

Training

CVE-2025-66550

Published: Dec 5, 2025

Modified: Dec 5, 2025

PUBLISHED

CVSS v3.1

5.7

MEDIUM

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

Vendor	Product	Versions
nextcloud	security-advisories	affected `>= 5.0.0-rc.1, < 5.2.4` affected `< 4.7.17`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv

x_refsource_CONFIRM

https://github.com/nextcloud/calendar/pull/6971

x_refsource_MISC

https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769

x_refsource_MISC

https://hackerone.com/reports/3112033

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.