CVE-2023-33182
CVE-2023-33182 is a none-severity vulnerability in Nextcloud Contacts with a CVSS 3.x base score of 0.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: None (CVSS 3.x base score 0.0)
- EPSS exploit prediction: 1% (54th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Nextcloud Contacts
- Published:
- Last modified:
Description
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4
Frequently asked questions
- What is CVE-2023-33182?
- Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4
- How severe is CVE-2023-33182?
- CVE-2023-33182 has a CVSS 3.x base score of 0.0, rated none severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability none.
- Is CVE-2023-33182 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (54th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-33182?
- CVE-2023-33182 affects Nextcloud Contacts. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-33182?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-33182 published?
- CVE-2023-33182 was published on 2023-05-30 and last updated on 2026-06-17.
References
- https://github.com/nextcloud/contacts/pull/3199
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx
- https://hackerone.com/reports/1789602
Affected products (1)
- cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*
More vulnerabilities in Nextcloud Contacts
- CVE-2021-39221 — Medium (CVSS 6.4): Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version…
- CVE-2020-8281 — Medium (CVSS 5.4): A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform…
- CVE-2020-8280 — Medium (CVSS 5.4): A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to…
- CVE-2018-3764 — Medium (CVSS 4.8): In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a…
- CVE-2020-8181 — Medium (CVSS 4.3): A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.
- CVE-2025-66554 — Low (CVSS 3.5): Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to…
All CVEs affecting Nextcloud Contacts →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →