cvedb.io
CVE-2025-66554
LOW · CVSS 3.5
EPSS exploitation probability: 0%
Published 2025-12-05T18:15:58.630 · Last modified 2026-06-17T09:57:01.223

Summary

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

Affected products

nextcloud — contacts

Does this affect you?

Add your gear to cvedb and we'll alert you only when nextcloud ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.