GCVE - cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Nextcloud (`e5ae4298-6932-564f-a40d-08cebea039a5`)
Product	Contacts (`63e09ed1-f2b8-5fb4-a45b-ea9239d85d3c`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/nextcloud/contacts`	purl2cpe	2026-06-01 10:17:59.399492

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-66554`	vulnerable	2026-06-03 15:11:00.788876	Nextcloud Contacts vulnerable to Stored XSS in contacts app via organisation and title field LOW (3.5) Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5. Published: 2025-12-05T17:50:59.860Z Updated: 2025-12-08T19:51:03.328Z Open on db.gcve.eu Reference links https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2 https://github.com/nextcloud/contacts/pull/4619 https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1 https://hackerone.com/reports/3293290	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-33182`	vulnerable	2026-06-03 14:52:13.061940	Nextcloud Contacts photos only sanitized if mime type is all lower case NONE Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4 Published: 2023-05-30T04:58:07.669Z Updated: 2025-01-10T19:59:11.557Z Open on db.gcve.eu Reference links https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx https://github.com/nextcloud/contacts/pull/3199 https://hackerone.com/reports/1789602	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-39221`	vulnerable	2026-06-03 14:45:08.624054	XSS in Contacts MEDIUM (6.4) Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy. Published: 2021-10-25T19:05:10.000Z Updated: 2024-08-04T01:58:18.235Z Open on db.gcve.eu Reference links https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc https://github.com/nextcloud/contacts/pull/2407	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-8281`	vulnerable	2026-06-03 14:43:08.574656	Details available A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. Published: 2021-01-06T20:58:09.000Z Updated: 2024-08-04T09:56:28.324Z Open on db.gcve.eu Reference links https://hackerone.com/reports/894876 https://nextcloud.com/security/advisory/?id=NC-SA-2020-045	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-8280`	vulnerable	2026-06-03 14:43:08.574282	Details available A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. Published: 2021-01-06T20:59:57.000Z Updated: 2024-08-04T09:56:28.301Z Open on db.gcve.eu Reference links https://hackerone.com/reports/998422 https://nextcloud.com/security/advisory/?id=NC-SA-2020-044	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-8181`	vulnerable	2026-06-03 14:43:08.262015	Details available A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. Published: 2020-07-10T15:48:41.000Z Updated: 2024-08-04T09:56:27.392Z Open on db.gcve.eu Reference links https://hackerone.com/reports/808287%2C https://nextcloud.com/security/advisory/?id=NC-SA-2020-024	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-3764`	vulnerable	2026-06-03 14:38:50.410774	Details available In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. Published: 2018-07-05T16:00:00.000Z Updated: 2024-08-05T04:50:30.571Z Open on db.gcve.eu Reference links https://nextcloud.com/security/advisory/?id=nc-sa-2018-005	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.