Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by nocobase
CVE-2026-41641 (GCVE-0-2026-41641)
Vulnerability from cvelistv5 – Published: 2026-05-07 04:13 – Updated: 2026-05-07 14:14
VLAI
Title
NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call
Summary
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nocobase/nocobase/security/adv… | x_refsource_CONFIRM |
| https://github.com/nocobase/nocobase/pull/9134 | x_refsource_MISC |
| https://github.com/nocobase/nocobase/commit/851ae… | x_refsource_MISC |
| https://github.com/nocobase/nocobase/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41641",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:13:49.780425Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:14:23.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nocobase",
"vendor": "nocobase",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T04:13:33.609Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh"
},
{
"name": "https://github.com/nocobase/nocobase/pull/9134",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/pull/9134"
},
{
"name": "https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91"
},
{
"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39"
}
],
"source": {
"advisory": "GHSA-wrwh-c28m-9jjh",
"discovery": "UNKNOWN"
},
"title": "NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41641",
"datePublished": "2026-05-07T04:13:33.609Z",
"dateReserved": "2026-04-21T23:58:43.801Z",
"dateUpdated": "2026-05-07T14:14:23.539Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41640 (GCVE-0-2026-41640)
Vulnerability from cvelistv5 – Published: 2026-05-07 04:09 – Updated: 2026-05-07 12:55
VLAI
Title
NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading
Summary
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nocobase/nocobase/security/adv… | x_refsource_CONFIRM |
| https://github.com/nocobase/nocobase/pull/9133 | x_refsource_MISC |
| https://github.com/nocobase/nocobase/commit/202e2… | x_refsource_MISC |
| https://github.com/nocobase/nocobase/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41640",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T12:54:23.331234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T12:55:04.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nocobase",
"vendor": "nocobase",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T04:09:59.264Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432"
},
{
"name": "https://github.com/nocobase/nocobase/pull/9133",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/pull/9133"
},
{
"name": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604"
},
{
"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39"
}
],
"source": {
"advisory": "GHSA-4948-f92q-f432",
"discovery": "UNKNOWN"
},
"title": "NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41640",
"datePublished": "2026-05-07T04:09:59.264Z",
"dateReserved": "2026-04-21T23:58:43.801Z",
"dateUpdated": "2026-05-07T12:55:04.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40346 (GCVE-0-2026-40346)
Vulnerability from cvelistv5 – Published: 2026-04-17 23:54 – Updated: 2026-04-20 14:56
VLAI
Title
NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
Summary
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nocobase/nocobase/security/adv… | x_refsource_CONFIRM |
| https://github.com/nocobase/nocobase/pull/9079 | x_refsource_MISC |
| https://github.com/nocobase/nocobase/commit/28533… | x_refsource_MISC |
| https://github.com/nocobase/nocobase/releases/tag… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nocobase | @nocobase/plugin-workflow-request |
Affected:
< 2.0.37
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40346",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:42:37.238641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:56:12.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "@nocobase/plugin-workflow-request",
"vendor": "nocobase",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase\u0027s workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T23:54:34.829Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp"
},
{
"name": "https://github.com/nocobase/nocobase/pull/9079",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/pull/9079"
},
{
"name": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59"
},
{
"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37"
}
],
"source": {
"advisory": "GHSA-mvvv-v22x-xqwp",
"discovery": "UNKNOWN"
},
"title": "NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40346",
"datePublished": "2026-04-17T23:54:34.829Z",
"dateReserved": "2026-04-10T22:50:01.358Z",
"dateUpdated": "2026-04-20T14:56:12.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6224 (GCVE-0-2026-6224)
Vulnerability from cvelistv5 – Published: 2026-04-13 21:15 – Updated: 2026-04-14 16:28
VLAI
Title
nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox
Summary
A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/357142 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/357142/cti | signaturepermissions-required |
| https://vuldb.com/submit/785881 | third-party-advisory |
| https://github.com/Pai-777/ai-cve/blob/main/docs/… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nocobase | plugin-workflow-javascript |
Affected:
2.0.0
Affected: 2.0.1 Affected: 2.0.2 Affected: 2.0.3 Affected: 2.0.4 Affected: 2.0.5 Affected: 2.0.6 Affected: 2.0.7 Affected: 2.0.8 Affected: 2.0.9 Affected: 2.0.10 Affected: 2.0.11 Affected: 2.0.12 Affected: 2.0.13 Affected: 2.0.14 Affected: 2.0.15 Affected: 2.0.16 Affected: 2.0.17 Affected: 2.0.18 Affected: 2.0.19 Affected: 2.0.20 Affected: 2.0.21 Affected: 2.0.22 Affected: 2.0.23 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6224",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:30:15.271468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:28:30.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "plugin-workflow-javascript",
"vendor": "nocobase",
"versions": [
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "affected",
"version": "2.0.1"
},
{
"status": "affected",
"version": "2.0.2"
},
{
"status": "affected",
"version": "2.0.3"
},
{
"status": "affected",
"version": "2.0.4"
},
{
"status": "affected",
"version": "2.0.5"
},
{
"status": "affected",
"version": "2.0.6"
},
{
"status": "affected",
"version": "2.0.7"
},
{
"status": "affected",
"version": "2.0.8"
},
{
"status": "affected",
"version": "2.0.9"
},
{
"status": "affected",
"version": "2.0.10"
},
{
"status": "affected",
"version": "2.0.11"
},
{
"status": "affected",
"version": "2.0.12"
},
{
"status": "affected",
"version": "2.0.13"
},
{
"status": "affected",
"version": "2.0.14"
},
{
"status": "affected",
"version": "2.0.15"
},
{
"status": "affected",
"version": "2.0.16"
},
{
"status": "affected",
"version": "2.0.17"
},
{
"status": "affected",
"version": "2.0.18"
},
{
"status": "affected",
"version": "2.0.19"
},
{
"status": "affected",
"version": "2.0.20"
},
{
"status": "affected",
"version": "2.0.21"
},
{
"status": "affected",
"version": "2.0.22"
},
{
"status": "affected",
"version": "2.0.23"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Paaai (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-265",
"description": "Sandbox Issue",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T21:15:11.914Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-357142 | nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/357142"
},
{
"name": "VDB-357142 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/357142/cti"
},
{
"name": "Submit #785881 | NocoBase 2.0.23 Sandbox Issue",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/785881"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Pai-777/ai-cve/blob/main/docs/cve-drafts/nocobase-workflow-javascript-sandbox-escape.en.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-13T15:54:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6224",
"datePublished": "2026-04-13T21:15:11.914Z",
"dateReserved": "2026-04-13T13:49:25.263Z",
"dateUpdated": "2026-04-14T16:28:30.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34825 (GCVE-0-2026-34825)
Vulnerability from cvelistv5 – Published: 2026-04-02 19:06 – Updated: 2026-04-03 12:56
VLAI
Title
NocoBase Has SQL Injection via template variable substitution in workflow SQL node
Summary
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nocobase/nocobase/security/adv… | x_refsource_CONFIRM |
| https://github.com/nocobase/nocobase/commit/75da3… | x_refsource_MISC |
| https://github.com/nocobase/nocobase/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34825",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T12:56:37.627950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T12:56:41.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nocobase",
"vendor": "nocobase",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.30"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T19:06:07.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
},
{
"name": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"
},
{
"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"
}
],
"source": {
"advisory": "GHSA-vx58-fwwq-5g8j",
"discovery": "UNKNOWN"
},
"title": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34825",
"datePublished": "2026-04-02T19:06:07.592Z",
"dateReserved": "2026-03-30T20:52:53.283Z",
"dateUpdated": "2026-04-03T12:56:41.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34156 (GCVE-0-2026-34156)
Vulnerability from cvelistv5 – Published: 2026-03-31 13:33 – Updated: 2026-04-02 15:08
VLAI
Title
NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
Summary
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nocobase/nocobase/security/adv… | x_refsource_CONFIRM |
| https://github.com/nocobase/nocobase/pull/8967 | x_refsource_MISC |
| https://github.com/nocobase/nocobase/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34156",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T15:08:26.814719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T15:08:38.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nocobase",
"vendor": "nocobase",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.28"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase\u0027s Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913: Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:33:11.325Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c"
},
{
"name": "https://github.com/nocobase/nocobase/pull/8967",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/pull/8967"
},
{
"name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28"
}
],
"source": {
"advisory": "GHSA-px3p-vgh9-m57c",
"discovery": "UNKNOWN"
},
"title": "NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34156",
"datePublished": "2026-03-31T13:33:11.325Z",
"dateReserved": "2026-03-25T20:12:04.196Z",
"dateUpdated": "2026-04-02T15:08:38.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}