Cyber Resilience

CVE-2024-52515

Medium

Published: 15 November 2024

Published
15 November 2024
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0149 81.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52515 is a medium-severity Use of Incorrectly-Resolved Name or Reference (CWE-706) vulnerability in Nextcloud Nextcloud Server. Its CVSS base score is 5.7 (Medium).

Operationally, ranked in the top 18.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would…

more

preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nextcloud
nextcloud server
24.0.0 — 24.0.12.15 · 25.0.0 — 25.0.13.10 · 26.0.0 — 26.0.13.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References