CVE-2025-58051
- Source
- https://cve.org/CVERecord?id=CVE-2025-58051
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58051.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-58051
- Aliases
-
- GHSA-wpp5-4w35-pxq6
- Published
- 2025-10-16T16:48:19.618Z
- Modified
- 2026-04-10T05:31:16.262863Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Nextcloud Tables app allowed to include local file via PhpSpreadsheet when importing a table
- Details
-
Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-841" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58051.json" }- References
-
- https://hackerone.com/reports/3249624
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58051.json
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6
- https://nvd.nist.gov/vuln/detail/CVE-2025-58051
- https://github.com/nextcloud/tables/pull/1936