Description
SharePoint for ownCloud is an application for using SharePoint with the file storage, synchronization, and sharing application ownCloud Classic. In SharePoint for ownCloud prior to version 0.4.1, which corresponds to ownCloud 10 prior to 10.15.3, an attacker with administrative privileges can use a SSRF vulnerability in the SharePoint app to execute arbitrary code on the system. Upgrade ownCloud 10 to version 10.15.3 or later to receive SharePoint for ownCloud 0.4.1, the fixed version.
Published: 2026-07-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a server‑side request forgery in the SharePoint app integrated with ownCloud Classic. Attackers with administrative privileges can send crafted requests from the ownCloud server to arbitrary URLs. Because the request originates from the host, the attacker can retrieve internal resources, access the local network, and ultimately trigger code execution on the host machine. The flaw is classified as CWE‑918.

Affected Systems

The flaw affects ownCloud SharePoint and ownCloud 10. Any installation of SharePoint for ownCloud version 0.3.x or earlier—specifically ownCloud 10 versions earlier than 10.15.3—is vulnerable. The affected components are the SharePoint app and the underlying ownCloud 10 platform.

Risk and Exploitability

The CVSS base score is 8.5, indicating high severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires administrative access to ownCloud; once obtained, the SSRF allows the attacker to send malicious requests that can lead to arbitrary code execution. The absence of public exploitation data suggests limited known attacks, but the high CVSS score and administrative requirement make the risk significant for systems with exposed administrative interfaces.

Generated by OpenCVE AI on July 7, 2026 at 05:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ownCloud to version 10.15.3 or later, which includes the fixed SharePoint for ownCloud 0.4.1.
  • Deploy the updated SharePoint app (version 0.4.1) to replace the vulnerable component.
  • Restrict outbound traffic from the ownCloud server to mitigate SSRF exposure until the update is applied.
  • Conduct internal vulnerability scans to confirm no remaining SSRF endpoints remain exposed.

Generated by OpenCVE AI on July 7, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Owncloud
Owncloud owncloud
Owncloud sharepoint
Vendors & Products Owncloud
Owncloud owncloud
Owncloud sharepoint

Mon, 06 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description SharePoint for ownCloud is an application for using SharePoint with the file storage, synchronization, and sharing application ownCloud Classic. In SharePoint for ownCloud prior to version 0.4.1, which corresponds to ownCloud 10 prior to 10.15.3, an attacker with administrative privileges can use a SSRF vulnerability in the SharePoint app to execute arbitrary code on the system. Upgrade ownCloud 10 to version 10.15.3 or later to receive SharePoint for ownCloud 0.4.1, the fixed version.
Title SharePoint for ownCloud 10 is vulnerable to Server-Side Request Forgery (SSRF)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Owncloud Owncloud Sharepoint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T14:04:52.601Z

Reserved: 2025-07-09T14:14:52.530Z

Link: CVE-2025-53828

cve-icon Vulnrichment

Updated: 2026-07-07T14:04:48.899Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T06:00:13Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)