CVE-2025-66554 is a cross-site scripting (CWE-79) vulnerability identified in the Contacts app component of Nextcloud, a widely used open-source file sharing and collaboration platform. The flaw exists in versions prior to 5.5.4, 6.0.6, and 7.2.5, where a malicious user with at least limited privileges can manipulate the 'organization' and 'title' fields of contact entries to inject additional CSS files into the web page generation process. This improper neutralization of input allows the attacker to influence the styling of the Nextcloud interface for other users viewing the compromised contact data. Despite this, the Nextcloud server enforces a strict content security policy (CSP) that blocks JavaScript and other potentially more dangerous payloads, mitigating the risk of script-based attacks such as full XSS. The vulnerability does not allow direct execution of arbitrary scripts or access to sensitive data, but it could be used for UI redressing or visual spoofing attacks that may facilitate phishing or social engineering. Exploitation requires the attacker to have at least some authenticated access and user interaction, limiting the attack surface. The vulnerability was publicly disclosed on December 5, 2025, with a CVSS v3.1 base score of 3.5 (low severity), reflecting its limited impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild, and patches are available in the specified versions.

For European organizations using Nextcloud, especially those leveraging the Contacts app for internal or external collaboration, this vulnerability poses a low but non-negligible risk. The ability to inject additional CSS could allow attackers to subtly alter the user interface, potentially misleading users or facilitating phishing attempts by changing visual elements such as buttons or links. While the impact on confidentiality and availability is minimal, the integrity of the user interface could be compromised, which may erode user trust and lead to indirect security consequences. Organizations with strict compliance requirements around data integrity and user authentication workflows should be aware of this risk. Since exploitation requires authenticated access and user interaction, insider threats or compromised accounts could be vectors. The limited scope and absence of JavaScript execution reduce the likelihood of widespread damage, but targeted attacks against high-value users or administrators remain a concern.

European organizations should promptly upgrade affected Nextcloud Contacts app instances to versions 5.5.4, 6.0.6, or 7.2.5 or later to remediate this vulnerability. Additionally, organizations should review and enforce strict access controls and authentication policies to minimize the risk of unauthorized users gaining the privileges needed to exploit this issue. Implementing multi-factor authentication (MFA) can reduce the risk of account compromise. Monitoring logs for unusual modifications to contact fields may help detect exploitation attempts. Organizations should also verify that their Nextcloud instances have properly configured Content Security Policies to block unauthorized script execution. User awareness training about phishing and UI manipulation risks can further mitigate social engineering attacks that might leverage this vulnerability. Finally, regular vulnerability scanning and patch management processes should be maintained to ensure timely updates.