CVE-2021-32707

Name: CVE-2021-32707
Creator: NVD / NIST
Published: 2021-07-12T19:15:10.227+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.3/10EPSS 1.15%

Last modified Jun 17, 2026

CVE-2021-32707 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. EPSS estimates a 1.15% chance of exploitation in the next 30 days.

Description

Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist.

Metrics

CVSS 3.1

4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

1.15%

62.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Nextcloud	Mail	< 1.9.6

References

https://github.com/nextcloud/mail/pull/5189Patch, Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crhThird Party Advisory
https://hackerone.com/reports/1215251Exploit, Third Party Advisory
https://github.com/nextcloud/mail/pull/5189Patch, Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crhThird Party Advisory
https://hackerone.com/reports/1215251Exploit, Third Party Advisory

Timeline

Published: Jul 12, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-32707?

How severe is CVE-2021-32707?

CVE-2021-32707 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 1.15% probability of exploitation in the next 30 days.

How do I fix CVE-2021-32707?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-32707?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST