Critical SQL injection vulnerability in Nextcloud Server

Cybersecurity specialists report the detection of a critical vulnerability in Nextcloud Server, part of the client-server programs developed by Nextcloud that allow the creation of file hosting services. According to the report, successful exploitation of the flaw would allow the deployment of multiple hacking tasks.

Tracked as CVE-2021-43608, the vulnerability exists due to insufficient sanitization of user-provided data in the affected application, which would allow threat actors to send specially crafted requests to trigger the execution of arbitrary SQL commands.

The vulnerability received a score of 8.5/10 according to the Common Vulnerability Scoring System (CVSS) and is considered a critical bug, as its successful exploitation would allow threat actors to read, delete or modify information in the affected database, gaining full control over the vulnerable application.

According to the report, the flaw resides in all versions of Nextcloud Server between 21.0.0 and 22.2.2.


While the vulnerability could be exploited by remote, unauthenticated threat actors, no active exploitation attempts or malware variants associated with the attack have been identified so far. Still, Nextcloud recommends users of affected deployments upgrade soon; the required patches are already available.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.