CVE-2025-47792

Nextcloud Desktop 3rdparty applications can create share links via socket API

CVSS 5 MEDIUMEPSS 0.2%CWE-284

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 May 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service. Nextcloud Desktop fixes the issue in version 3.15. No known workarounds are available.

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/desktop/pull/7517 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qm2f-959g-7p65 https://hackerone.com/reports/1995856