CVE-2025-66554

Source
https://cve.org/CVERecord?id=CVE-2025-66554
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66554.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66554
Aliases
  • GHSA-9v78-cpfc-v6h2
Published
2025-12-05T17:50:59.860Z
Modified
2026-07-15T01:48:54.230478518Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Nextcloud Contacts vulnerable to Stored XSS in contacts app via organisation and title field
Details

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66554.json"
}
References

Affected packages

Git / github.com/nextcloud/contacts

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/contacts
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.5.4"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.0.6"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.2.5"
        }
    ]
}

Affected versions

v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66554.json"