Skip to main content

Nextcloud Tables EUVDEUVD-2026-33719

| CVE-2026-45722 HIGH
SQL Injection (CWE-89)
2026-06-01 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 01, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 01, 2026 - 19:22 vuln.today
Analysis Generated
Jun 01, 2026 - 19:22 vuln.today

DescriptionGitHub Advisory

Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.

AnalysisAI

Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing authenticated users with access to the Tables app to inject SQL into the ORDER BY clause of database queries. The flaw permits bit-by-bit data extraction or time-based exfiltration against the underlying database, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Nextcloud as low-privilege user
Delivery
Open Tables app with accessible table
Exploit
Submit sort request with malicious mode parameter
Execution
Inject conditional ORDER BY payload
Persist
Iterate requests to extract data bit-by-bit
Impact
Reconstruct sensitive database contents

Vulnerability AssessmentAI

Exploitation The attacker must have a valid Nextcloud account and be granted access to the Tables app (PR:L in the CVSS vector); no user interaction is required and the attack is performed over the network against the standard Nextcloud HTTP endpoints. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) accurately reflects a network-reachable, low-complexity issue requiring authenticated access with high confidentiality impact and low availability impact (consistent with time-based DoS via SLEEP-style payloads). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege Nextcloud user with access to the Tables app crafts a request to sort a table, injecting a conditional expression into the sort mode parameter (e.g., a CASE WHEN clause that orders rows differently based on a single bit of a target value such as an oc_users password hash). By scripting hundreds of such requests, the attacker reconstructs arbitrary database content byte-by-byte; alternatively, they inject a database SLEEP() to confirm exploitability or cause minor availability degradation.
Remediation Upgrade the Nextcloud Tables app to version 0.9.7 (for the 0.9.x branch) or 1.0.2 (for the 1.0.x branch), both of which contain the fix in PR https://github.com/nextcloud/tables/pull/2186 that adds an ASC/DESC allowlist for sort modes and replaces raw createFunction() string concatenation with parameterized query-builder methods. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Nextcloud Tables deployments and confirm installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2025-66208 CRITICAL
9.8 Dec 03

Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing

CVE-2025-66550 MEDIUM POC
5.7 Dec 05

A security vulnerability in Nextcloud Calendar (CVSS 5.7). Risk factors: public PoC available. Vendor patch is available

CVE-2019-25368 MEDIUM POC
5.4 Feb 15

OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attacker

CVE-2026-28474 CRITICAL
9.3 Mar 05

Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to

CVE-2026-45545 HIGH
8.2 Jun 01

SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitr

CVE-2026-45281 HIGH
8.1 Jun 01

Improper authorization in the Nextcloud Server CalDAV backend allows an authenticated user who knows another user's prin

CVE-2026-45156 HIGH
8.1 Jun 01

Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicio

CVE-2025-66554 LOW POC
3.5 Dec 05

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5

CVE-2026-45810 MEDIUM
6.8 Jun 01

Comment authorization bypass in Nextcloud Server 31.x and 32.x allows authenticated low-privilege users to read all file

CVE-2026-45282 MEDIUM
6.5 Jun 01

Nextcloud Server's link share attachment access bypasses password protection and download restrictions for authenticated

CVE-2026-45275 MEDIUM
6.5 Jun 01

Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing

Share

EUVD-2026-33719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy