Vulnerability Database

314,496

Total vulnerabilities in the database

CVE-2023-33182

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4

Published: May 30, 2023
Updated: Nov 16, 2025
CVE: CVE-2023-33182
Severity: Info
Exploit:

CVSS v3:

Severity: Unknown
Score: 0
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
nextcloud / contacts	4.1.0	4.2.4
nextcloud / contacts	5.0.0	5.0.3

https://github.com/nextcloud/contacts/pull/3199
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx
https://hackerone.com/reports/1789602

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo