NextcloudPi versions prior to v1.53.1 are affected by a critical security vulnerability in the NCP admin webinterface:
This vulnerability allows attackers to execute arbitrary code on the server as root while bypassing the password protection of the admin interface.
Therefore, if you are running an older version of NextcloudPi, please update to the latest version as soon as possible with the command ncp-update (any versions greater than or equal to v1.53.1 is not affected).
For most NextcloudPi installations it would require access to the local network to exploit this vulnerability, since the admin interface is limited to clients with local IP addresses. However, there may be instances where administrators manually disabled this precaution and exposed the admin interface to the internet in which case the exploit can be performed without restrictions.