{"id":"CVE-2025-66545","summary":"Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin","details":"Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.","aliases":["GHSA-2vrq-fhmf-c49m"],"modified":"2026-07-15T01:49:11.381632028Z","published":"2025-12-05T17:44:13.312Z","database_specific":{"cwe_ids":["CWE-707"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66545.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66545.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-66545"},{"type":"REPORT","url":"https://github.com/nextcloud/groupfolders/issues/4041"},{"type":"FIX","url":"https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58"},{"type":"FIX","url":"https://github.com/nextcloud/groupfolders/pull/4076"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/groupfolders","events":[{"introduced":"0"},{"fixed":"c7ee8dfee0a466f5ba701872b3b0e0957641487d"},{"introduced":"b2c1c5e626bfa4c046b93ed01567207e9e50cffd"},{"fixed":"1b849acc9840cdab2e5c701594fe72dd9894cb57"},{"introduced":"fe0278e4f44e4e75b49d6914aad759be81bf9f3e"},{"fixed":"b5de0e74c9241a3931d8a8789e0055418596faf2"},{"introduced":"8f0d9cb8f8438e863af4d2cf58c99d3e1892f6b6"},{"fixed":"9e833b8318792b425af2a476b466dda96e51c78a"},{"introduced":"9d0b381c73939a2220f252d6e6797a50c53b1268"},{"fixed":"37e69cbe266ffd190c9871b5174f3e901902aec9"},{"introduced":"537df83a0b39e0c3eac8d7ad45a3d53f746d5f33"},{"fixed":"ffcfdc30bbe806149005c586ccf0edc36216d1b1"},{"fixed":"bbe87ebed8da23e9df4db637a76fbc8d36439d58"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"14.0.11"},{"introduced":"15.0.0"},{"fixed":"15.3.12"},{"introduced":"16.0.0"},{"fixed":"16.0.15"},{"introduced":"17.0.0"},{"fixed":"17.0.14"},{"introduced":"18.0.0"},{"fixed":"18.1.8"},{"introduced":"19.0.0"},{"fixed":"20.1.2"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:nextcloud:group_folders:*:*:*:*:*:*:*:*"}}],"versions":["v15.3.11","v14.0.10","v16.0.14","v17.0.13","v20.1.1","v18.1.7","v19.1.7","v20.1.0","v18.1.6","v19.1.5","v20.0.1","v17.0.12","v18.1.5","v19.1.4","v20.0.0","v17.0.11","v18.1.4","v19.1.3","v18.1.3","v19.1.2","v19.1.1","v19.1.0","v18.1.1","v18.1.2","v19.0.4","v18.0.6","v18.1.0","v19.0.3","v19.0.2","v19.0.1","v17.0.10","v18.0.10","v19.0.0","v17.0.1","v16.0.13","v17.0.9","v18.0.9","v19.0.0-alpha.2","v19.0.0-alpha.1","v18.0.8","v17.0.8","v16.0.12","v17.0.7","v18.0.7","v17.0.6","v18.0.5","v18.0.4","v16.0.11","v17.0.5","v18.0.3","v15.3.10","v16.0.10","v17.0.4","v18.0.2","v15.3.9","v16.0.9","v18.0.1","v17.0.3","v17.0.2","v16.0.8","v18.0.0","v18.0.0-beta.1","v15.3.8","v16.0.7","v17.0.0","v14.0.9","v15.3.7","v16.0.6","v14.0.8","v15.3.6","v16.0.5","v17.0.0-beta.1","v14.0.7","v15.3.5","v16.0.4","v16.0.3","v15.3.4","v15.3.3","v16.0.2","v14.0.6","v15.3.2","v16.0.1","v16.0.0","v14.0.5","v15.3.1","v15.3.0","v15.2.0","v15.1.0","v14.0.4","v15.0.2","v14.0.3","v15.0.1","v15.0.0","v14.0.2","v14.0.1","v14.0.0","v10.0.0-beta1","v8.0.0","v6.0.6","v6.0.5","v5.0.7","4.1.6","v6.0.4","v6.0.3","v5.0.6","v6.0.2","v6.0.1","v5.0.5","v4.1.5","v6.0.0","v5.0.4","v4.1.4","v5.0.3","v4.1.3","v5.0.2","v5.0.1","v5.0.0","v4.1.0","v4.0.4","v4.0.2","v4.0.1","v4.0.0","v3.0.1","v3.0.0","v2.0.2","v1.3.3","v2.0.1","v2.0.0","v2.0.0-beta","v1.3.2","v1.3.0","v1.2.2","v1.2.1","v1.2.0","v1.1.0","v1.0.2","v1.0.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66545.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}]}