Vulnerability Details CVE-2026-45722
Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.4%
CVSS Severity
CVSS v3 Score 7.1
References
Products affected by CVE-2026-45722
-
cpe:2.3:a:nextcloud:tables:0.9.0
-
cpe:2.3:a:nextcloud:tables:0.9.1
-
cpe:2.3:a:nextcloud:tables:0.9.2
-
cpe:2.3:a:nextcloud:tables:0.9.3
-
cpe:2.3:a:nextcloud:tables:0.9.4
-
cpe:2.3:a:nextcloud:tables:0.9.5
-
cpe:2.3:a:nextcloud:tables:0.9.6
-
cpe:2.3:a:nextcloud:tables:1.0.0
-
cpe:2.3:a:nextcloud:tables:1.0.1