SQL Injection Vulnerability in Nextcloud Tables App
CVE-2026-45722

7.1HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
1 June 2026

What is CVE-2026-45722?

The Nextcloud Tables app, part of the open-source content collaboration platform, contains a vulnerability due to missing sanitization processes. This flaw allows users with access to the tables feature to execute a limited SQL injection on the ORDER BY statement of a query. Although the SQL injection is constrained, it enables the extraction of a single data element per request or can be exploited to induce delays in database response times. Users are advised to upgrade to versions 0.9.7 and 1.0.2, where the issue has been effectively addressed.

Affected Version(s)

security-advisories >= 0.9.0, < 0.9.7 < 0.9.0, 0.9.7

security-advisories >= 1.0.0, < 1.0.2 < 1.0.0, 1.0.2

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/tables/pull/2186
x_refsource_MISC
https://hackerone.com/reports/3446689
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.