Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.
AnalysisAI
Blind SQL injection in the Nextcloud Tables app affects versions 0.9.0 through 0.9.6 and 1.0.0 through 1.0.1, allowing authenticated users with access to the Tables app to inject SQL into the ORDER BY clause of database queries. The flaw permits bit-by-bit data extraction or time-based exfiltration against the underlying database, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have a valid Nextcloud account and be granted access to the Tables app (PR:L in the CVSS vector); no user interaction is required and the attack is performed over the network against the standard Nextcloud HTTP endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) accurately reflects a network-reachable, low-complexity issue requiring authenticated access with high confidentiality impact and low availability impact (consistent with time-based DoS via SLEEP-style payloads). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege Nextcloud user with access to the Tables app crafts a request to sort a table, injecting a conditional expression into the sort mode parameter (e.g., a CASE WHEN clause that orders rows differently based on a single bit of a target value such as an oc_users password hash). By scripting hundreds of such requests, the attacker reconstructs arbitrary database content byte-by-byte; alternatively, they inject a database SLEEP() to confirm exploitability or cause minor availability degradation. |
| Remediation | Upgrade the Nextcloud Tables app to version 0.9.7 (for the 0.9.x branch) or 1.0.2 (for the 1.0.x branch), both of which contain the fix in PR https://github.com/nextcloud/tables/pull/2186 that adds an ASC/DESC allowlist for sort modes and replaces raw createFunction() string concatenation with parameterized query-builder methods. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Nextcloud Tables deployments and confirm installed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing
A security vulnerability in Nextcloud Calendar (CVSS 5.7). Risk factors: public PoC available. Vendor patch is available
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attacker
Authentication bypass in OpenClaw's Nextcloud Talk plugin versions ≤2026.2.2 allows remote unauthenticated attackers to
SQL injection in the Nextcloud Tables app allows authenticated users with access to the Tables feature to execute arbitr
Improper authorization in the Nextcloud Server CalDAV backend allows an authenticated user who knows another user's prin
Authentication bypass in Nextcloud's User OIDC app (versions 0.3.0-3.0.x, 5.0.0-5.0.x, and 6.0.0-6.3.x) allows a malicio
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5
Comment authorization bypass in Nextcloud Server 31.x and 32.x allows authenticated low-privilege users to read all file
Nextcloud Server's link share attachment access bypasses password protection and download restrictions for authenticated
Privilege escalation in the Nextcloud Approval app (prior to version 2.7.2) allows authenticated users who lack sharing
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33719