Back

Critical RCE and DoS Vulnerabilities in Nextcloud Affect Fedora Users

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Summary

On May 2, 2026, Fedora released an advisory for Nextcloud version 33.0.3, addressing multiple critical vulnerabilities, including remote code execution (RCE) and denial of service (DoS) issues. The vulnerabilities are linked to the Handlebars.js templating engine, with CVEs including CVE-2026-33937, CVE-2026-33939, CVE-2026-33940, CVE-2026-33916, and CVE-2026-33938, all published on March 27, 2026. Attack vectors involve crafted Abstract Syntax Tree objects and malformed decorator syntax, allowing for arbitrary code execution and service disruption. Users of Fedora 42 and 44 are specifically affected, and administrators are urged to apply the patches using the 'dnf' update program. The vulnerabilities pose a significant risk due to their potential for exploitation in live environments. As of now, no active exploitation has been reported, but the existence of proof-of-concept (PoC) exploits raises concerns. Key Points: • Multiple critical vulnerabilities in Nextcloud 33.0.3 affect Fedora 42 and 44 users. • CVE-2026-33937 allows remote code execution via crafted Abstract Syntax Tree objects. • Administrators are advised to update using 'dnf' to mitigate these vulnerabilities.

Key Entities

  • DDoS (attack_type)
  • XSS (vulnerability)
  • CVE-2026-33916 (cve)
  • CVE-2026-33937 (cve)
  • CVE-2026-33938 (cve)
  • CVE-2026-33939 (cve)
  • CVE-2026-33940 (cve)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • CWE-94 - Code Injection (cwe)
  • Fedora (company)
  • Handlebars (platform)
  • Nextcloud (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed