CVE-2021-41178

Name: CVE-2021-41178
Creator: NVD / NIST
Published: 2021-10-25T22:15:07.913+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 1.73%

Last modified Jun 17, 2026

CVE-2021-41178 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. EPSS estimates a 1.73% chance of exploitation in the next 30 days.

Description

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.73%

74.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Nextcloud	Server	>= 20.0.3, < 20.0.13
Nextcloud	Server	>= 21.0.1, < 21.0.5
Nextcloud	Server	>= 22.1.1, < 22.2.0

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rfThird Party Advisory
https://github.com/nextcloud/server/pull/28726Patch, Third Party Advisory
https://hackerone.com/reports/1302155Permissions Required
https://security.gentoo.org/glsa/202208-17Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rfThird Party Advisory
https://github.com/nextcloud/server/pull/28726Patch, Third Party Advisory
https://hackerone.com/reports/1302155Permissions Required
https://security.gentoo.org/glsa/202208-17Third Party Advisory

Timeline

Published: Oct 25, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-41178?

How severe is CVE-2021-41178?

CVE-2021-41178 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.73% probability of exploitation in the next 30 days.

How do I fix CVE-2021-41178?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-41178?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST