Unauthenticated GraphQL access by prepending __schema to private operations

Bug reported by was disclosed at December 5, 2025, 3:10 pm   |   Authentication Bypass

A security vulnerability was identified in the GraphQL schema of the Enjin Platform. The vulnerability allowed unauthorized access to the GraphQL schema by prepending "__schema" to private operations. The vulnerability was discovered and reported by a security researcher. The specific location of the vulnerability within the platform-core repository was identified, and a fix was subsequently implemented to address the issue.

Stored XSS Vulnerability via SVG File

Bug reported by aptroot was disclosed at December 5, 2025, 10:33 am   |   Cross-site Scripting (XSS) - Stored

A stored XSS vulnerability was discovered in Nextcloud related to the handling of SVG files. The vulnerability allowed the execution of arbitrary JavaScript code.

admin_audit does not log actions on files in a group folder

Bug reported by Fabien Germain was disclosed at December 5, 2025, 8:22 am   |   Insufficient Logging

The admin_audit app in Nextcloud versions prior to 24.0.4 did not log actions on files in a group folder.

Deck app allowed user with "Can share" permission to modify permissions of other non-owners

Bug reported by was disclosed at December 5, 2025, 8:20 am   |   Improper Access Control - Generic

The Deck app in Nextcloud allowed users with "Can share" permission to modify the permissions of other non-owners.

Calendar app allowed booking appointments without the generated token

Bug reported by was disclosed at December 5, 2025, 8:18 am   |   Insecure Direct Object Reference (IDOR)

The calendar app was found to allow booking appointments without the necessary generated token, which could have led to unauthorized access.

Calendar attachments of local files are offered to downloaded

Bug reported by was disclosed at December 5, 2025, 8:18 am   |   Improper Handling of Unexpected Data Type

A security vulnerability in calendar attachments of local files was discovered, where users were offered to download the attachments.

Missing ownership check in Tables app allows moving columns into tables of other users

Bug reported by was disclosed at December 5, 2025, 8:17 am   |   Insecure Direct Object Reference (IDOR)

The Tables app in the specified software had a vulnerability that allowed moving columns into tables of other users without proper ownership checks.

Tables app allowed users to view columns metadata information of any table

Bug reported by was disclosed at December 5, 2025, 8:17 am   |   Insecure Direct Object Reference (IDOR)

The Tables app allowed users to view columns metadata information of any table.

Participants were able to blindly delete poll drafts of other users by ID

Bug reported by was disclosed at December 5, 2025, 8:16 am   |   Insecure Direct Object Reference (IDOR)

Participants were able to blindly delete poll drafts of other users by ID.

Approval app allows users to request approval for other users file

Bug reported by 0x0.eth was disclosed at December 5, 2025, 8:11 am   |   Improper Authentication - Generic

A security vulnerability was discovered in the Approval app that allowed users to request approval for other users' files. The vulnerability was addressed in a security advisory.

Nextcloud Tables v1 Share Enumeration Without Authorization (Regression of CVE-2024-52507)

Bug reported by 0x0.eth was disclosed at December 5, 2025, 8:10 am   |   Improper Authentication - Generic

A vulnerability was discovered in Nextcloud Tables v1 that allowed unauthorized users to enumerate shares. The vulnerability was a regression of a previously addressed issue, CVE-2024-52507.