Cross-Site Scripting Vulnerability in Nextcloud PDF Viewer
CVE-2025-59788

6.4MEDIUM

Key Information:

Vendor: Nextcloud
Status: Nextcloud
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-59788?

A Cross-site Scripting (XSS) vulnerability exists in the Nextcloud PDF viewer, which allows attackers to execute arbitrary JavaScript within a user's browser by leveraging a crafted PDF file sent to the viewer. This vulnerability affects various versions of the PDF viewer before 22.2.10.33 and multiple subsequent releases, potentially exposing users to various security threats.

Affected Version(s)

Nextcloud 0 < 22.2.10.33

Nextcloud 23 < 23.0.12.29

Nextcloud 24 < 24.0.12.28

References

https://nextcloud.com

https://www.redteam-pentesting.de/en/advisories/rt-sa-202...

https://github.com/nextcloud/security-advisories/security...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Sep 19, 2025

JSON