GCVE - cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*

part: a version: * update: *

Vendor	Nextcloud (`e5ae4298-6932-564f-a40d-08cebea039a5`)
Product	Mail (`b095abef-4c07-51bc-8bc5-b5cef59cfad6`)
Edition	*
Language	*
Software edition	*
Target software	nextcloud
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-66514`	vulnerable	2026-06-03 15:11:00.710028	Nextcloud Mail stored HTML injection in subject text LOW (3.5) Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code. Published: 2025-12-05T17:32:25.767Z Updated: 2025-12-08T20:10:21.710Z Open on db.gcve.eu Reference links https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5 https://github.com/nextcloud/mail/pull/11740 https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09 https://hackerone.com/reports/3357036	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-52509`	vulnerable	2026-06-03 14:57:29.750194	Nextcloud Mail app does not respect download permissions in shares LOW (3.5) Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2. Published: 2024-11-15T17:37:47.035Z Updated: 2024-11-15T18:11:49.618Z Open on db.gcve.eu Reference links https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862 https://github.com/nextcloud/mail/pull/9592 https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b https://hackerone.com/reports/1878255	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-52508`	vulnerable	2026-06-03 14:57:29.749712	Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers HIGH (8.2) Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0. Published: 2024-11-15T17:34:21.900Z Updated: 2024-11-15T18:17:04.830Z Open on db.gcve.eu Reference links https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc https://github.com/nextcloud/mail/pull/9964 https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b https://hackerone.com/reports/2508422	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.