-------------------------------------------------------------------------------- Fedora EPEL Update Notification FEDORA-EPEL-2026-6610e2eca4 2026-05-10 03:16:49.655622+00:00 --------------------------------------------------------------------------------
Name : nextcloud Product : Fedora EPEL 10.2 Version : 33.0.3 Release : 1.el10_2 URL : http://nextcloud.com Summary : Private file sync and share server Description : NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing right on the web. NextCloud is extendable via a simple but powerful API for applications and plugins. -------------------------------------------------------------------------------- Update Information: 33.0.3 Release -------------------------------------------------------------------------------- ChangeLog: * Sat May 2 2026 Andrew Bauer <[email protected]> - 33.0.3-1 - 33.0.3 Release RHBZ#2454311 * Sat Apr 18 2026 Andrew Bauer <[email protected]> - 33.0.1-2 - fix cli upgrade advice -------------------------------------------------------------------------------- References: [ 1 ] Bug #2452582 - CVE-2026-33916 nextcloud: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452582 [ 2 ] Bug #2452588 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452588 [ 3 ] Bug #2452590 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452590 [ 4 ] Bug #2452593 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452593 [ 5 ] Bug #2452596 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452596 [ 6 ] Bug #2452597 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452597 [ 7 ] Bug #2452622 - CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452622 [ 8 ] Bug #2452631 - CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452631 [ 9 ] Bug #2452635 - CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452635 [ 10 ] Bug #2452645 - CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452645 [ 11 ] Bug #2452647 - CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2452647 [ 12 ] Bug #2453984 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453984 [ 13 ] Bug #2454038 - CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2454038 [ 14 ] Bug #2454311 - nextcloud-33.0.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=2454311 [ 15 ] Bug #2456569 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2456569 [ 16 ] Bug #2456575 - CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2456575 [ 17 ] Bug #2457496 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2457496 [ 18 ] Bug #2457502 - CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2457502 [ 19 ] Bug #2457809 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2457809 [ 20 ] Bug #2457810 - CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2457810 [ 21 ] Bug #2457869 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2457869 [ 22 ] Bug #2457875 - CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2457875 [ 23 ] Bug #2463440 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2463440 [ 24 ] Bug #2463443 - CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2463443 -------------------------------------------------------------------------------- This update can be installed with the "yum" update programs. Use su -c 'yum update nextcloud' at the command line. For more information, refer to "YUM", available at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7\ /html/System_Administrators_Guide/ch-yum.html All packages are signed with the Fedora EPEL GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ epel-package-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
