{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-58051", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-22T14:30:32.221Z", "datePublished": "2025-10-16T16:48:19.618Z", "dateUpdated": "2025-10-16T18:13:19.134Z"}, "containers": {"cna": {"title": "Nextcloud Tables app allowed to include local file via PhpSpreadsheet when importing a table", "problemTypes": [{"descriptions": [{"cweId": "CWE-841", "lang": "en", "description": "CWE-841: Improper Enforcement of Behavioral Workflow", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6"}, {"name": "https://github.com/nextcloud/tables/pull/1936", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/tables/pull/1936"}, {"name": "https://hackerone.com/reports/3249624", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/3249624"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": ">= 0.7.0, < 0.7.6", "status": "affected"}, {"version": ">= 0.8.0, < 0.8.8", "status": "affected"}, {"version": ">= 0.9.0, < 0.9.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-16T16:48:19.618Z"}, "descriptions": [{"lang": "en", "value": "Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5."}], "source": {"advisory": "GHSA-wpp5-4w35-pxq6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-16T18:03:43.989845Z", "id": "CVE-2025-58051", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T18:13:19.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-58051", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-16T18:03:43.989845Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T18:13:14.890Z"}}], "cna": {"title": "Nextcloud Tables app allowed to include local file via PhpSpreadsheet when importing a table", "source": {"advisory": "GHSA-wpp5-4w35-pxq6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"status": "affected", "version": ">= 0.7.0, < 0.7.6"}, {"status": "affected", "version": ">= 0.8.0, < 0.8.8"}, {"status": "affected", "version": ">= 0.9.0, < 0.9.5"}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nextcloud/tables/pull/1936", "name": "https://github.com/nextcloud/tables/pull/1936", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/3249624", "name": "https://hackerone.com/reports/3249624", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-841", "description": "CWE-841: Improper Enforcement of Behavioral Workflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-10-16T16:48:19.618Z"}}}, "cveMetadata": {"cveId": "CVE-2025-58051", "state": "PUBLISHED", "dateUpdated": "2025-10-16T18:13:19.134Z", "dateReserved": "2025-08-22T14:30:32.221Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-10-16T16:48:19.618Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5."}], "id": "CVE-2025-58051", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-10-16T17:15:34.417", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6"}, {"source": "security-advisories@github.com", "url": "https://github.com/nextcloud/tables/pull/1936"}, {"source": "security-advisories@github.com", "url": "https://hackerone.com/reports/3249624"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-841"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-10-20T13:24:58.565452+00:00", "updated": "2025-10-20T13:24:58.565476+00:00", "vendors": ["nextcloud", "nextcloud$PRODUCT$tables"]}