CVE-2025-59788

Source
https://cve.org/CVERecord?id=CVE-2025-59788
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59788.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59788
Aliases
  • GHSA-24wp-p865-7j4r
Published
2025-12-04T00:00:00Z
Modified
2026-07-08T08:12:17.055499582Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59788.json",
    "cna_assigner": "mitre",
    "cwe_ids": [
        "CWE-749"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "22.2.10.33"
                },
                {
                    "introduced": "23"
                },
                {
                    "fixed": "23.0.12.29"
                },
                {
                    "introduced": "24"
                },
                {
                    "fixed": "24.0.12.28"
                },
                {
                    "introduced": "25"
                },
                {
                    "fixed": "25.0.13.23"
                },
                {
                    "introduced": "26"
                },
                {
                    "fixed": "26.0.13.20"
                },
                {
                    "introduced": "27"
                },
                {
                    "fixed": "27.1.11.20"
                },
                {
                    "introduced": "28"
                },
                {
                    "fixed": "28.0.14.11"
                },
                {
                    "introduced": "29"
                },
                {
                    "fixed": "29.0.16.8"
                },
                {
                    "introduced": "30"
                },
                {
                    "fixed": "30.0.17"
                },
                {
                    "introduced": "31"
                },
                {
                    "fixed": "31.0.10"
                },
                {
                    "introduced": "32"
                },
                {
                    "fixed": "32.0.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "22.2.10.33"
                },
                {
                    "introduced": "23"
                },
                {
                    "fixed": "23.0.12.29"
                },
                {
                    "introduced": "24"
                },
                {
                    "fixed": "24.0.12.28"
                },
                {
                    "introduced": "25"
                },
                {
                    "fixed": "25.0.13.23"
                },
                {
                    "introduced": "26"
                },
                {
                    "fixed": "26.0.13.20"
                },
                {
                    "introduced": "27"
                },
                {
                    "fixed": "27.1.11.20"
                },
                {
                    "introduced": "28"
                },
                {
                    "fixed": "28.0.14.11"
                },
                {
                    "introduced": "29"
                },
                {
                    "fixed": "29.0.16.8"
                },
                {
                    "introduced": "30"
                },
                {
                    "fixed": "30.0.17"
                },
                {
                    "introduced": "31"
                },
                {
                    "fixed": "31.0.10"
                },
                {
                    "introduced": "32"
                },
                {
                    "fixed": "32.0.1"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "22.2.10.33"
                }
            ],
            "source": "DESCRIPTION"
        }
    ]
}
References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/server
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
        "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "30.0.0"
        },
        {
            "fixed": "30.0.17"
        },
        {
            "introduced": "31.0.0"
        },
        {
            "fixed": "31.0.10"
        },
        {
            "introduced": "32.0.0"
        },
        {
            "fixed": "32.0.1"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v30.*
v30.0.0
v30.0.1
v30.0.10
v30.0.10rc1
v30.0.11
v30.0.11rc1
v30.0.12
v30.0.12rc1
v30.0.12rc2
v30.0.13
v30.0.13rc1
v30.0.14
v30.0.14rc1
v30.0.15
v30.0.15rc1
v30.0.16
v30.0.16rc1
v30.0.17rc1
v30.0.17rc2
v30.0.1rc1
v30.0.1rc2
v30.0.2
v30.0.2rc1
v30.0.2rc2
v30.0.3
v30.0.3rc1
v30.0.3rc2
v30.0.4
v30.0.4rc1
v30.0.5
v30.0.5rc1
v30.0.6
v30.0.6rc1
v30.0.6rc2
v30.0.7
v30.0.7rc1
v30.0.7rc2
v30.0.8
v30.0.8rc1
v30.0.9
v30.0.9rc1
v30.0.9rc2
v31.*
v31.0.0
v31.0.1
v31.0.10rc1
v31.0.10rc2
v31.0.1rc1
v31.0.1rc2
v31.0.2
v31.0.2rc1
v31.0.3
v31.0.3rc1
v31.0.3rc2
v31.0.4
v31.0.4rc1
v31.0.5
v31.0.5rc1
v31.0.6
v31.0.6rc1
v31.0.6rc2
v31.0.7
v31.0.7rc1
v31.0.8
v31.0.8rc1
v31.0.9
v31.0.9rc1
v32.*
v32.0.0
v32.0.1rc1
v32.0.1rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59788.json"