Medium severity6.5OSV Advisory· Published Oct 16, 2025· Updated Apr 15, 2026

CVE-2025-58051

Description

Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5.

Affected products

Nextcloud/TablesOSV
Range: v0.7.0, v0.7.1, v0.7.2, …

Patches

01491d6061ec

Merge pull request #1946 from nextcloud/release/0.7.6

https://github.com/nextcloud/tablesEnjeckJul 25, 2025via osv

commit

4 files changed · +19 −4

appinfo/info.xml+1 −1 modified

@@ -21,7 +21,7 @@ Share your tables and views with users and groups within your cloud.
 Have a good time and manage whatever you want.
 
 ]]></description>
-	<version>0.7.5</version>
+	<version>0.7.6</version>
 	<licence>agpl</licence>
 	<author mail="florian.steffens@nextcloud.com">Florian Steffens</author>
 	<namespace>Tables</namespace>

CHANGELOG.md+15 −0 modified

@@ -1,5 +1,20 @@
 # Changelog
 
+## 0.7.6
+
+### Fixed
+* [[stable0.7] fix(View): column might be saved as null (tables#1229)](https://github.com/nextcloud/tables/pull/1229)
+* [[stable0.7] Analytics: permission error on shared tables with non-shared views (tables#1253)](https://github.com/nextcloud/tables/pull/1253)
+* [[stable0.7] Fix npm audit (tables#1335)](https://github.com/nextcloud/tables/pull/1335)
+* [[stable0.7] fix: use actions/upload-artifact v4 for cypress workflow (tables#1349)](https://github.com/nextcloud/tables/pull/1349)
+* [Fix(deps): update dependency vue-material-design-icons to ^5.3.1 (stable0.7) (tables#1417)](https://github.com/nextcloud/tables/pull/1417)
+* [[stable0.7] fix: use unique names for actions upload-artifact (tables#1419)](https://github.com/nextcloud/tables/pull/1419)
+
+### Other
+* [[stable0.7] build(package): avoid shipping unnecessary files (tables#1937)](https://github.com/nextcloud/tables/pull/1937)
+* [[stable0.7] style: format constructor params import methods and classes (tables#1942)](https://github.com/nextcloud/tables/pull/1942)
+
+
 ## 0.7.5
 
 ### Fixed

package.json+1 −1 modified

@@ -1,7 +1,7 @@
 {
   "name": "tables",
   "description": "Manage data within tables.",
-  "version": "0.7.5",
+  "version": "0.7.6",
   "author": "Florian Steffens <florian.steffens@nextcloud.com",
   "bugs": {
     "url": "https://github.com/nextcloud/tables/issues"

package-lock.json+2 −2 modified

@@ -1,12 +1,12 @@
 {
   "name": "tables",
-  "version": "0.7.5",
+  "version": "0.7.6",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "tables",
-      "version": "0.7.5",
+      "version": "0.7.6",
       "license": "agpl",
       "dependencies": {
         "@mdi/svg": "^7.4.47",

369d70c52b14

Merge pull request #1945 from nextcloud/release/0.9.5

https://github.com/nextcloud/tablesEnjeckJul 25, 2025via osv

commit

5 files changed · +28 −5

appinfo/info.xml+1 −1 modified

@@ -26,7 +26,7 @@ Share your tables and views with users and groups within your cloud.
 Have a good time and manage whatever you want.
 
 ]]></description>
-	<version>0.9.4</version>
+	<version>0.9.5</version>
 	<licence>agpl</licence>
 	<author mail="florian.steffens@nextcloud.com">Florian Steffens</author>
 	<namespace>Tables</namespace>

CHANGELOG.md+23 −0 modified

@@ -5,6 +5,29 @@
 
 # Changelog
 
+## 0.9.5
+
+### Fixed
+
+* [Fix(DB): reduce number of SQL queries to get shares (tables#1749)](https://github.com/nextcloud/tables/pull/1749)
+* [[stable0.9] fix: update table edit functionality and improve element selectors (tables#1909)](https://github.com/nextcloud/tables/pull/1909)
+
+### Dependencies
+
+* [Fix(deps): update dependency @nextcloud/auth to ^2.5.2 (stable0.9) (tables#1920)](https://github.com/nextcloud/tables/pull/1920)
+* [Fix(deps): update dependency @nextcloud/moment to ^1.3.5 (stable0.9) (tables#1921)](https://github.com/nextcloud/tables/pull/1921)
+* [Fix(deps): update dependency phpoffice/phpspreadsheet to ^1.29.11 (stable0.9) (tables#1922)](https://github.com/nextcloud/tables/pull/1922)
+* [Fix(deps): update dependency @nextcloud/l10n to ^3.4.0 (stable0.9) (tables#1925)](https://github.com/nextcloud/tables/pull/1925)
+* [Fix(deps): update dependency @nextcloud/vue to ^8.28.0 (stable0.9) (tables#1926)](https://github.com/nextcloud/tables/pull/1926)
+
+### Other
+
+* [Chore(deps): update dependency @rollup/rollup-linux-x64-gnu to ^4.45.1 (stable0.9) (tables#1923)](https://github.com/nextcloud/tables/pull/1923)
+* [Chore(deps): update dependency nextcloud/openapi-extractor to ^1.8.1 (stable0.9) (tables#1924)](https://github.com/nextcloud/tables/pull/1924)
+* [[stable0.9] build(package): avoid shipping unnecessary files (tables#1939)](https://github.com/nextcloud/tables/pull/1939)
+* [[stable0.9] style: format constructor params import methods and classes (tables#1940)](https://github.com/nextcloud/tables/pull/1940)
+
+
 ## 0.9.4
 
 ### Added

cypress/e2e/ToDo list.json+1 −1 modified

@@ -1 +1 @@
-{"title":"ToDo list","emoji":"\u2705","columns":[{"id":91,"tableId":19,"title":"Task","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"line","mandatory":true,"description":"","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":92,"tableId":19,"title":"Description","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"rich","mandatory":false,"description":"Title or short description","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":93,"tableId":19,"title":"Target","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"rich","mandatory":false,"description":"Date, time or whatever","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":94,"tableId":19,"title":"Progress","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"number","subtype":"progress","mandatory":false,"description":"","numberDefault":0,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":95,"tableId":19,"title":"Comments","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"rich","mandatory":false,"description":"","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":96,"tableId":19,"title":"Proofed","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"selection","subtype":"check","mandatory":false,"description":"","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false}],"views":[{"id":16,"tableId":19,"title":"Unfinished Tasks","description":"","emoji":"\u274c","ownership":"admin","createdBy":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditAt":"2025-07-03 07:38:29","columns":[93,92,94,96,95,91],"columnSettings":[{"columnId":93,"order":0},{"columnId":92,"order":1},{"columnId":94,"order":2},{"columnId":96,"order":3},{"columnId":95,"order":4},{"columnId":91,"order":5}],"sort":[{"columnId":-4,"mode":"DESC"}],"isShared":false,"favorite":false,"onSharePermissions":null,"hasShares":false,"rowsCount":0,"ownerDisplayName":"admin","filter":[[{"columnId":94,"operator":"is-lower-than","value":"100"}]]}],"description":"","tablesVersion":"0.9.4"}
\ No newline at end of file
+{"title":"ToDo list","emoji":"\u2705","columns":[{"id":91,"tableId":19,"title":"Task","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"line","mandatory":true,"description":"","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":92,"tableId":19,"title":"Description","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"rich","mandatory":false,"description":"Title or short description","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":93,"tableId":19,"title":"Target","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"rich","mandatory":false,"description":"Date, time or whatever","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":94,"tableId":19,"title":"Progress","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"number","subtype":"progress","mandatory":false,"description":"","numberDefault":0,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":95,"tableId":19,"title":"Comments","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"text","subtype":"rich","mandatory":false,"description":"","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false},{"id":96,"tableId":19,"title":"Proofed","createdBy":"admin","createdByDisplayName":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditByDisplayName":"admin","lastEditAt":"2025-07-03 07:23:28","type":"selection","subtype":"check","mandatory":false,"description":"","numberDefault":null,"numberMin":null,"numberMax":null,"numberDecimals":0,"numberPrefix":"","numberSuffix":"","textDefault":"","textAllowedPattern":"","textMaxLength":-1,"selectionOptions":[],"selectionDefault":"","datetimeDefault":"","usergroupDefault":[],"usergroupMultipleItems":false,"usergroupSelectUsers":false,"usergroupSelectGroups":false,"usergroupSelectTeams":false,"showUserStatus":false}],"views":[{"id":16,"tableId":19,"title":"Unfinished Tasks","description":"","emoji":"\u274c","ownership":"admin","createdBy":"admin","createdAt":"2025-07-03 07:23:28","lastEditBy":"admin","lastEditAt":"2025-07-03 07:38:29","columns":[93,92,94,96,95,91],"columnSettings":[{"columnId":93,"order":0},{"columnId":92,"order":1},{"columnId":94,"order":2},{"columnId":96,"order":3},{"columnId":95,"order":4},{"columnId":91,"order":5}],"sort":[{"columnId":-4,"mode":"DESC"}],"isShared":false,"favorite":false,"onSharePermissions":null,"hasShares":false,"rowsCount":0,"ownerDisplayName":"admin","filter":[[{"columnId":94,"operator":"is-lower-than","value":"100"}]]}],"description":"","tablesVersion":"0.9.5"}
\ No newline at end of file

package.json+1 −1 modified

@@ -1,7 +1,7 @@
 {
   "name": "tables",
   "description": "Manage data within tables.",
-  "version": "0.9.4",
+  "version": "0.9.5",
   "author": "Florian Steffens <florian.steffens@nextcloud.com",
   "bugs": {
     "url": "https://github.com/nextcloud/tables/issues"

package-lock.json+2 −2 modified

@@ -1,12 +1,12 @@
 {
   "name": "tables",
-  "version": "0.9.4",
+  "version": "0.9.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "tables",
-      "version": "0.9.4",
+      "version": "0.9.5",
       "license": "agpl",
       "dependencies": {
         "@mdi/svg": "^7.4.47",

ed9745a1d5dc

Merge pull request #1944 from nextcloud/release/0.8.8

https://github.com/nextcloud/tablesEnjeckJul 25, 2025via osv

commit

4 files changed · +11 −4

appinfo/info.xml+1 −1 modified

@@ -25,7 +25,7 @@ Share your tables and views with users and groups within your cloud.
 Have a good time and manage whatever you want.
 
 ]]></description>
-	<version>0.8.7</version>
+	<version>0.8.8</version>
 	<licence>agpl</licence>
 	<author mail="florian.steffens@nextcloud.com">Florian Steffens</author>
 	<namespace>Tables</namespace>

CHANGELOG.md+7 −0 modified

@@ -5,6 +5,13 @@
 
 # Changelog
 
+## 0.8.8
+
+### Other
+
+* [[stable0.8] build(package): avoid shipping unnecessary files (tables#1938)](https://github.com/nextcloud/tables/pull/1938)
+* [[stable0.8] style: format constructor params import methods and classes (tables#1941)](https://github.com/nextcloud/tables/pull/1941)
+
 ## 0.8.7
 
 ### Other

package.json+1 −1 modified

@@ -1,7 +1,7 @@
 {
   "name": "tables",
   "description": "Manage data within tables.",
-  "version": "0.8.7",
+  "version": "0.8.8",
   "author": "Florian Steffens <florian.steffens@nextcloud.com",
   "bugs": {
     "url": "https://github.com/nextcloud/tables/issues"

package-lock.json+2 −2 modified

@@ -1,12 +1,12 @@
 {
   "name": "tables",
-  "version": "0.8.7",
+  "version": "0.8.8",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "tables",
-      "version": "0.8.7",
+      "version": "0.8.8",
       "license": "agpl",
       "dependencies": {
         "@mdi/svg": "^7.4.47",

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000