Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0.
AnalysisAI
SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitrary SQL queries against the backend database via a stored injection vector. Although a 20-byte length limit is imposed on the injected payload, carefully crafted input can break out of this restriction, enabling data extraction and modification. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated Nextcloud account (PR:L) that has been granted access to the Tables app and at least one table or view where column/filter input can be supplied - this is the explicit prerequisite stated in the advisory ('an authenticated attacker with access to the Tables app'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 8.2 reflects network attack vector (AV:N), high attack complexity (AC:H, consistent with the need to craft input that escapes a 20-byte length cap), low privileges (PR:L, an authenticated Nextcloud user with Tables access), no user interaction, changed scope (S:C - the Tables app boundary into the shared Nextcloud database), and high confidentiality and integrity impact with no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged Nextcloud account (via phishing, credential reuse, or as a legitimate but malicious internal user) and is permitted to use the Tables app submits a crafted column or filter parameter via the Tables REST API. The payload is designed to break out of the 20-byte length cap and is stored, so when the application later assembles SQL using the value, attacker-controlled SQL executes against the Nextcloud database, allowing exfiltration of other users' data or unauthorized modification of records. … |
| Remediation | Upgrade the Nextcloud Tables app to a vendor-released patched version: 0.7.7, 0.8.10, 0.9.8, 1.0.4, or 2.0.0, as confirmed in advisory GHSA-x43f-gmgh-vvjj (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x43f-gmgh-vvjj) with the corresponding upstream fix in pull request https://github.com/nextcloud/tables/pull/2309. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 HOURS: Identify all users with Nextcloud Tables feature access and review their privilege levels; assess data sensitivity in affected databases. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing
A security vulnerability in Nextcloud Calendar (CVSS 5.7). Risk factors: public PoC available. Vendor patch is available
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attacker
Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to
Improper authorization in the Nextcloud Server CalDAV backend allows an authenticated user who knows another user's prin
Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicio
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5
Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing a
Comment authorization bypass in Nextcloud Server 31.x and 32.x allows authenticated low-privilege users to read all file
Nextcloud Server's link share attachment access bypasses password protection and download restrictions for authenticated
Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33715