resolved
Unauthenticated GraphQL access by prepending __schema to private operations
Bug reported by was disclosed at December 5, 2025, 3:10 pm | Authentication Bypass
A security vulnerability was identified in the GraphQL schema of the Enjin Platform. The vulnerability allowed unauthorized access to the GraphQL schema by prepending "__schema" to private operations. The vulnerability was discovered and reported by a security researcher. The specific location of the vulnerability within the platform-core repository was identified, and a fix was subsequently implemented to address the issue.
resolved
Stored XSS Vulnerability via SVG File
Bug reported by aptroot was disclosed at December 5, 2025, 10:33 am | Cross-site Scripting (XSS) - Stored
A stored XSS vulnerability was discovered in Nextcloud related to the handling of SVG files. The vulnerability allowed the execution of arbitrary JavaScript code.
resolved
admin_audit does not log actions on files in a group folder
Bug reported by Fabien Germain was disclosed at December 5, 2025, 8:22 am | Insufficient Logging
The admin_audit app in Nextcloud versions prior to 24.0.4 did not log actions on files in a group folder.
resolved
Deck app allowed user with "Can share" permission to modify permissions of other non-owners
Bug reported by was disclosed at December 5, 2025, 8:20 am | Improper Access Control - Generic
The Deck app in Nextcloud allowed users with "Can share" permission to modify the permissions of other non-owners.
resolved
Calendar app allowed booking appointments without the generated token
Bug reported by was disclosed at December 5, 2025, 8:18 am | Insecure Direct Object Reference (IDOR)
The calendar app was found to allow booking appointments without the necessary generated token, which could have led to unauthorized access.
resolved
Calendar attachments of local files are offered to downloaded
Bug reported by was disclosed at December 5, 2025, 8:18 am | Improper Handling of Unexpected Data Type
A security vulnerability in calendar attachments of local files was discovered, where users were offered to download the attachments.
resolved
Missing ownership check in Tables app allows moving columns into tables of other users
Bug reported by was disclosed at December 5, 2025, 8:17 am | Insecure Direct Object Reference (IDOR)
The Tables app in the specified software had a vulnerability that allowed moving columns into tables of other users without proper ownership checks.
resolved
Tables app allowed users to view columns metadata information of any table
Bug reported by was disclosed at December 5, 2025, 8:17 am | Insecure Direct Object Reference (IDOR)
The Tables app allowed users to view columns metadata information of any table.
resolved
Participants were able to blindly delete poll drafts of other users by ID
Bug reported by was disclosed at December 5, 2025, 8:16 am | Insecure Direct Object Reference (IDOR)
Participants were able to blindly delete poll drafts of other users by ID.
resolved
Approval app allows users to request approval for other users file
Bug reported by 0x0.eth was disclosed at December 5, 2025, 8:11 am | Improper Authentication - Generic
A security vulnerability was discovered in the Approval app that allowed users to request approval for other users' files. The vulnerability was addressed in a security advisory.
resolved
Nextcloud Tables v1 Share Enumeration Without Authorization (Regression of CVE-2024-52507)
Bug reported by 0x0.eth was disclosed at December 5, 2025, 8:10 am | Improper Authentication - Generic
A vulnerability was discovered in Nextcloud Tables v1 that allowed unauthorized users to enumerate shares. The vulnerability was a regression of a previously addressed issue, CVE-2024-52507.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
