CVE-2025-66514 LOW

CVE-2025-66514: Nextcloud Mail stored HTML injection in subject text

Vendor Nextcloud
Product security-advisories
Weakness CWE-79 · XSS
Published December 5, 2025
Last update December 8, 2025

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 8, 2025 Record updated