Unrated severityNVD Advisory· Published Dec 5, 2025· Updated Dec 9, 2025

Nextcloud Tables is missing an ownership check which allows moving columns into tables of other users

CVE-2025-66551

Description

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.

Affected products

Nextcloud/Tablesllm-fuzzy
Range: <0.8.6 (or ≥0.8.0 <0.8.6) and <0.9.3 (or ≥0.9.0 <0.9.3)
nextcloud/security-advisoriesv5
Range: >= 0.9.0-beta.1, < 0.9.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-w787-vwqp-8wr7mitrex_refsource_CONFIRM
github.com/nextcloud/tables/commit/39f24a62fb41fd7a8bda65325f8bbafdc91c731cmitrex_refsource_MISC
github.com/nextcloud/tables/pull/1810mitrex_refsource_MISC
hackerone.com/reports/3137895mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000