CVE-2025-66554

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66554

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66554.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66554

Aliases

GHSA-9v78-cpfc-v6h2

Published

2025-12-05T17:50:59.860Z

Modified

2026-03-01T02:55:03.711283Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Nextcloud Contacts vulnerable to Stored XSS in contacts app via organisation and title field

Details

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66554.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/nextcloud/contacts

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/contacts

Events

Introduced

714a93d182df26aca284c28405b8c0630068f5f7

Fixed

19f823f05d4df4d1cdd1f701f8ba512aa3d28d90

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0-alpha.1"
        },
        {
            "fixed": "7.2.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/contacts

Events

Introduced

5b64de79c0f58fc0970ef03241a73b3e4c46e00c

Fixed

c09656c908476d06dd77ddd691277bc37f8021e9

Database specific

{
    "versions": [
        {
            "introduced": "6.0.0-alpha1"
        },
        {
            "fixed": "6.0.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/contacts

Events

Introduced

Fixed

fa86cfd9ca61ae0fcd527115aa9a5fcd7a2bf521

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.5.4"
        }
    ]
}

Affected versions

2.*

2.0.0

v2.*

v2.0.1

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.6-beta

v3.*

v3.0.0

v3.0.0-alpha1

v3.0.0-beta1

v3.0.1

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.9

v3.2.0

v3.3.0

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.5.0

v3.5.1

v4.*

v4.0.0

v4.0.0-beta.2

v4.0.0-beta.3

v4.0.0-rc.0

v4.0.1

v4.0.2

v4.1.0

v5.*

v5.0.0-alpha1

v5.0.0-alpha2

v5.0.0-alpha3

v5.0.0-alpha4

v5.1.0

v5.3.0-alpha1

v5.3.0-beta1

v5.3.0-beta2

v5.4.0-alpha1

v5.4.0-beta1

v5.4.0-beta2

v5.4.0-beta3

v5.4.0-rc1

v5.5.0

v5.5.0-beta1

v5.5.0-beta3

v5.5.0-beta4

v5.5.0-rc1

v5.5.0-rc2

v5.5.1

v5.5.2

v5.5.3

v6.*

v6.0.0

v6.0.0-alpha1

v6.0.0-rc1

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v7.*

v7.0.0-alpha.1

v7.0.0-beta.1

v7.0.0-beta.2

v7.2.0

v7.2.0-rc.1

v7.2.1

v7.2.2

v7.2.3

v7.2.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66554.json"