Nextcloud Tables app allowed to include local file via PhpSpreadsheet...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5.

Basic Information

ID CVE-2025-58051

Source GitHub_M

Published Oct 16, 2025 at 16:48

Affected Product

Vendor nextcloud

Product security-advisories

Version >= 0.7.0, < 0.7.6

Affected Versions nextcloud security-advisories >= 0.7.0, < 0.7.6
nextcloud security-advisories >= 0.8.0, < 0.8.8
nextcloud security-advisories >= 0.9.0, < 0.9.5

CWE Classification

CWE-841

References

{
    "lastseen": "",
    "description": "Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5.",
    "published": "2025-10-16T16:48:19.618Z",
    "modified": "2025-10-16T16:48:19.618Z",
    "type": "cve",
    "title": "Nextcloud Tables app allowed to include local file via PhpSpreadsheet when importing a table",
    "source": "GitHub_M",
    "references": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6\nhttps://github.com/nextcloud/tables/pull/1936\nhttps://hackerone.com/reports/3249624",
    "id": "CVE-2025-58051",
    "bulletinFamily": "",
    "cwe": [
        "CWE-841"
    ],
    "cvelist": null,
    "sourceData": "nextcloud security-advisories >= 0.7.0, < 0.7.6\nnextcloud security-advisories >= 0.8.0, < 0.8.8\nnextcloud security-advisories >= 0.9.0, < 0.9.5",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "security-advisories",
    "version": ">= 0.7.0, < 0.7.6",
    "vendor": "nextcloud",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nextcloud Tables app allowed to include local file via PhpSpreadsheet when importing a table_CVE-2025-58051