[notepad0x90]

I would dig a bit more into the breakdown of the CVEs:

https://www.cvedetails.com/product/34622/Nextcloud-Nextcloud...

As well as if this reflects a systemic issue with the codebase or if it is just getting much needed attention from security researchers. More CVEs can just mean they're cleaning up after vulns really well. But at the same time, if they have critical vulns over and over again, that might indicate bad coding practices or carelessness.

[n_plus_1_acc]

Nextcloud is well known for it shitty legacy PHP codebase.

[obnauticus]

Agreed. The breakdown is indeed pretty poor IIRC.

Generally you use these disclosures to make directional decisions about infrastructure. The list of fixed and disclosed CVEs combined with the legacy PHP code base doesn’t really pass the security sniff test. You really wouldn’t know for sure without doing a full code audit.