CVE-2025-66554 LOW

CVE-2025-66554: Nextcloud Contacts vulnerable to Stored XSS in contacts app via organisation and title field

Vendor Nextcloud
Product security-advisories
Weakness CWE-79 · XSS
Published December 5, 2025
Last update December 8, 2025
View on NVD All CVEs

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
December 8, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-41943 I, Librarian Stored XSS vulnerability in Item Summary CVE-2025-4469 SourceCodester Online Student Clearance System add-admin.php cross site scripting CVE-2025-28971 WordPress Easy Elements Hider plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability CVE-2024-47348 WordPress Visual CSS Style Editor plugin <= 7.6.4 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata