CVE-2025-66554 is a cross-site scripting vulnerability classified under CWE-79 found in the Nextcloud Contacts app, which synchronizes contacts across devices. The vulnerability exists in versions prior to 5.5.4, 6.0.6, and 7.2.5, where a malicious user with at least limited privileges can manipulate the organisation and title fields to inject additional CSS files into the web page generation process. Although JavaScript and other potentially dangerous content are blocked by Nextcloud's content security policy, the ability to load arbitrary CSS can still alter the visual presentation of the application, potentially misleading users or facilitating UI redressing attacks. The vulnerability requires user interaction and some level of privilege (PR:L) but does not allow direct code execution or data exfiltration. The CVSS 3.1 score is 3.5 (low), reflecting the limited impact on confidentiality and availability, with integrity affected only in terms of UI appearance. No public exploits have been reported, and the issue was publicly disclosed on December 5, 2025. The fix is included in Nextcloud Contacts app versions 5.5.4, 6.0.6, and 7.2.5.

For European organizations, the primary impact of this vulnerability is the potential alteration of the user interface within the Nextcloud Contacts app, which could be used to mislead users or conduct social engineering attacks. While it does not directly compromise sensitive data or system availability, the integrity of the user experience is at risk. Organizations relying heavily on Nextcloud for contact management, especially in sectors like government, education, and enterprises with strict compliance requirements, may face reputational risks if attackers exploit this flaw to create confusion or phishing scenarios. The requirement for user interaction and limited privileges reduces the likelihood of widespread exploitation but does not eliminate targeted attacks. Since Nextcloud is widely used in Europe, especially in countries promoting open-source solutions, the vulnerability could affect a significant number of users if unpatched.

The most effective mitigation is to upgrade the Nextcloud Contacts app to versions 5.5.4, 6.0.6, or 7.2.5 or later, where the vulnerability is fixed. Organizations should audit their Nextcloud deployments to identify affected versions and prioritize patching. Additionally, administrators should review and tighten user input validation and sanitization policies, particularly for fields that can influence UI rendering. Implementing strict Content Security Policies (CSP) beyond the default Nextcloud settings can further reduce risk by restricting the loading of external CSS resources. Monitoring user activity logs for unusual modifications to contact fields and educating users about potential UI manipulation tactics can help detect and prevent exploitation. For custom Nextcloud instances or integrations, code reviews focusing on input handling in the Contacts app are recommended.