ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica
“The vulnerability, which carries the maximum severity rating of 10, makes it possible to obtain passwords and cryptographic keys allowing administrative control of a vulnerable server by sending a simple Web request to a static URL”
As article states, you’re not vulnerable if you don’t have the ‘graphapi’ app installed, whatever that is. Checked my nextcloud instance and it’s not there.