CVE-2025-66512 is a vulnerability classified under CWE-80, indicating improper neutralization of script-related HTML tags, commonly known as a basic cross-site scripting (XSS) flaw. It affects Nextcloud Server and Server Enterprise versions prior to 31.0.12 and 32.0.3. The root cause is a missing sanitization step when handling uploaded SVG files. SVGs are XML-based vector images that can contain embedded scripts or malicious HTML tags. In this case, an attacker can upload a crafted SVG file that, when viewed outside the Nextcloud web interface, can bypass the content security policy (CSP) designed to restrict script execution. This bypass allows execution of malicious scripts in the context of the user's browser session. The attack vector requires no authentication privileges but does require user interaction—specifically, the victim must be tricked into viewing the malicious SVG file outside the Nextcloud environment, such as via a direct link or external viewer. The CVSS v3.1 score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. While no known exploits are currently reported in the wild, the vulnerability poses a risk of script injection that could lead to session manipulation, content defacement, or denial of service. The issue was publicly disclosed on December 5, 2025, and patches are available in Nextcloud versions 31.0.12 and 32.0.3 and later. Organizations running vulnerable versions should prioritize patching to prevent exploitation.

For European organizations, this vulnerability could lead to targeted attacks where malicious actors exploit the XSS flaw to execute arbitrary scripts in users' browsers. This can result in session hijacking, unauthorized actions performed on behalf of users, or disruption of service availability. Since Nextcloud is widely used in Europe for personal and enterprise cloud storage, including by government agencies, educational institutions, and private companies, the impact could be significant in terms of operational disruption and potential data integrity issues. Although confidentiality is not directly impacted, the integrity and availability of Nextcloud services could be compromised, affecting business continuity and user trust. The requirement for user interaction somewhat limits large-scale automated exploitation but does not eliminate risk, especially in phishing or social engineering scenarios. Organizations relying on Nextcloud for sensitive or critical data storage should consider this vulnerability a moderate threat and act accordingly.

1. Immediately upgrade Nextcloud Server and Server Enterprise installations to version 31.0.12, 32.0.3, or later where the vulnerability is patched. 2. Implement strict file upload validation policies to restrict or sanitize SVG uploads, potentially disabling SVG uploads if not required. 3. Educate users about the risks of opening files from untrusted sources, especially SVG files received via email or external links. 4. Employ web application firewalls (WAFs) with rules designed to detect and block malicious SVG payloads or suspicious script activity. 5. Monitor logs for unusual access patterns or attempts to access SVG files outside the Nextcloud web interface. 6. Consider disabling direct access to uploaded files outside the Nextcloud environment or enforce additional authentication for such access. 7. Regularly audit and update content security policies to ensure they are robust against bypass attempts. 8. Conduct internal phishing simulations to raise awareness about social engineering risks related to this vulnerability.