CVE-2021-41178
8.8 HIGHNextcloud is an open-source, self-hosted productivity platform
Published: 2021-10-25 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-22, CWE-23, CWE-434
Affected products
| Vendor | Product |
|---|---|
| nextcloud | server |
Description
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41178
- [Other]https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf
- [Patch]https://github.com/nextcloud/server/pull/28726
- [Other]https://hackerone.com/reports/1302155
- [Other]https://security.gentoo.org/glsa/202208-17
- [Other]https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf
- [Patch]https://github.com/nextcloud/server/pull/28726
- [Other]https://hackerone.com/reports/1302155
- [Other]https://security.gentoo.org/glsa/202208-17
Related CVEs
Same vendor
- CVE-2026-45810 — Nextcloud is an open source content collaboration platform (6.8 MEDIUM)
- CVE-2026-45722 — Nextcloud is an open source content collaboration platform (7.1 HIGH)
- CVE-2026-45691 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
- CVE-2026-45690 — Nextcloud is an open source content collaboration platform (5.9 MEDIUM)
- CVE-2026-45545 — Nextcloud is an open source content collaboration platform (8.2 HIGH)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)