FEDORA-2026-cb5661d883 — security update for nextcloud

stable

nextcloud-33.0.3-1.fc44

FEDORA-2026-cb5661d883 created by kni a week ago for Fedora 44

33.0.3 Release

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2026-cb5661d883

This update has been submitted for testing by kni.

a week ago

This update's test gating status has been changed to 'ignored'.

a week ago

This update has been pushed to testing.

a week ago

This update has been submitted for stable by bodhi.

16 hours ago

This update has been pushed to stable.

14 hours ago

Please log in to add feedback.

Metadata

Type

security

Severity

high

Karma

Signed

Content Type

RPM

Test Gating

ignored

Autopush Settings

Unstable by Karma

-3

Stable by Karma

Stable by Time

7 days

Dates

submitted

a week ago

in testing

a week ago

in stable

15 hours ago

approved

16 hours ago

Builds

nextcloud-33.0.3-1.fc44

BZ#2452582 CVE-2026-33916 nextcloud: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [fedora-all]

BZ#2452588 CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]

BZ#2452590 CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]

BZ#2452593 CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]

BZ#2452596 CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [epel-all]

BZ#2452597 CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [epel-all]

BZ#2452622 CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]

BZ#2452631 CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]

BZ#2452635 CVE-2026-33940 nextcloud: Handlebars.js: Arbitrary code execution via crafted template context [fedora-all]

BZ#2452645 CVE-2026-33941 nextcloud: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw [fedora-all]

BZ#2452647 CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]

BZ#2453984 CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]

BZ#2454038 CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]

BZ#2454311 nextcloud-33.0.2 is available

BZ#2456569 CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [epel-all]

BZ#2456575 CVE-2026-39865 nextcloud: Axios: Denial of Service via HTTP/2 session cleanup logic state corruption [fedora-all]

BZ#2457496 CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [epel-all]

BZ#2457502 CVE-2025-62718 nextcloud: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization [fedora-all]

BZ#2457809 CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [epel-all]

BZ#2457810 CVE-2026-40194 nextcloud: phpseclib: Information disclosure via timing attack in SSH HMAC comparison [fedora-all]

BZ#2457869 CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [epel-all]

BZ#2457875 CVE-2026-40175 nextcloud: Axios: Remote Code Execution via Prototype Pollution escalation [fedora-all]

BZ#2463440 CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [epel-all]

BZ#2463443 CVE-2026-42035 nextcloud: Axios: Arbitrary HTTP header injection via prototype pollution [fedora-all]

nextcloud-33.0.3-1.fc44

Automated Test Results

ignored