Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

INFO

Published Date :

2025-12-05T17:26:11.306Z

Last Modified :

2025-12-08T20:12:07.012Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66548 vulnerability.

Vendors Products
Nextcloud
  • Deck
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66548.

URL Resource
https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a cve-icon cve-icon
https://github.com/nextcloud/deck/pull/6671 cve-icon cve-icon
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6 cve-icon cve-icon
https://hackerone.com/reports/2326618 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact