CVE-2021-39221
6.4 MEDIUMNextcloud is an open-source, self-hosted productivity platform
Published: 2021-10-25 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 6.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
- CWE
- CWE-434, CWE-79
Affected products
| Vendor | Product |
|---|---|
| nextcloud | contacts |
Description
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39221
- [Other]https://github.com/nextcloud/contacts/pull/2407
- [Other]https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc
- [Other]https://github.com/nextcloud/contacts/pull/2407
- [Other]https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc
Related CVEs
Same vendor
- CVE-2026-45810 — Nextcloud is an open source content collaboration platform (6.8 MEDIUM)
- CVE-2026-45722 — Nextcloud is an open source content collaboration platform (7.1 HIGH)
- CVE-2026-45691 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
- CVE-2026-45690 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
- CVE-2026-45545 — Nextcloud is an open source content collaboration platform (8.2 HIGH)
Same CWE
- CVE-2026-12425 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access ...
- CVE-2024-30476 — PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager (5.4 MEDIUM)
- CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
- CVE-2026-54198 — Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions (7.1 HIGH)
- CVE-2026-54191 — Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions (7.1 HIGH)