Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for nocobase by nocobase

    CVE-2026-41641 (GCVE-0-2026-41641)

    Vulnerability from nvd – Published: 2026-05-07 04:13 – Updated: 2026-05-07 14:14
    VLAI
    Title
    NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.39
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T14:13:49.780425Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T14:14:23.539Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.39"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T04:13:33.609Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/9134",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/9134"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39"
            }
          ],
          "source": {
            "advisory": "GHSA-wrwh-c28m-9jjh",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41641",
        "datePublished": "2026-05-07T04:13:33.609Z",
        "dateReserved": "2026-04-21T23:58:43.801Z",
        "dateUpdated": "2026-05-07T14:14:23.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41640 (GCVE-0-2026-41640)

    Vulnerability from nvd – Published: 2026-05-07 04:09 – Updated: 2026-05-07 12:55
    VLAI
    Title
    NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.39
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41640",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T12:54:23.331234Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T12:55:04.738Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.39"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T04:09:59.264Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/9133",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/9133"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39"
            }
          ],
          "source": {
            "advisory": "GHSA-4948-f92q-f432",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41640",
        "datePublished": "2026-05-07T04:09:59.264Z",
        "dateReserved": "2026-04-21T23:58:43.801Z",
        "dateUpdated": "2026-05-07T12:55:04.738Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40346 (GCVE-0-2026-40346)

    Vulnerability from nvd – Published: 2026-04-17 23:54 – Updated: 2026-04-20 14:56
    VLAI
    Title
    NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40346",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-20T14:42:37.238641Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T14:56:12.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "@nocobase/plugin-workflow-request",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.37"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase\u0027s workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T23:54:34.829Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/9079",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/9079"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37"
            }
          ],
          "source": {
            "advisory": "GHSA-mvvv-v22x-xqwp",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40346",
        "datePublished": "2026-04-17T23:54:34.829Z",
        "dateReserved": "2026-04-10T22:50:01.358Z",
        "dateUpdated": "2026-04-20T14:56:12.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34825 (GCVE-0-2026-34825)

    Vulnerability from nvd – Published: 2026-04-02 19:06 – Updated: 2026-04-03 12:56
    VLAI
    Title
    NocoBase Has SQL Injection via template variable substitution in workflow SQL node
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.30
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34825",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T12:56:37.627950Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T12:56:41.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.30"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-02T19:06:07.592Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"
            }
          ],
          "source": {
            "advisory": "GHSA-vx58-fwwq-5g8j",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34825",
        "datePublished": "2026-04-02T19:06:07.592Z",
        "dateReserved": "2026-03-30T20:52:53.283Z",
        "dateUpdated": "2026-04-03T12:56:41.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34156 (GCVE-0-2026-34156)

    Vulnerability from nvd – Published: 2026-03-31 13:33 – Updated: 2026-04-02 15:08
    VLAI
    Title
    NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-913 - Improper Control of Dynamically-Managed Code Resources
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.28
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34156",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-02T15:08:26.814719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-02T15:08:38.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.28"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase\u0027s Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-913",
                  "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T13:33:11.325Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/8967",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/8967"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28"
            }
          ],
          "source": {
            "advisory": "GHSA-px3p-vgh9-m57c",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34156",
        "datePublished": "2026-03-31T13:33:11.325Z",
        "dateReserved": "2026-03-25T20:12:04.196Z",
        "dateUpdated": "2026-04-02T15:08:38.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41641 (GCVE-0-2026-41641)

    Vulnerability from cvelistv5 – Published: 2026-05-07 04:13 – Updated: 2026-05-07 14:14
    VLAI
    Title
    NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.39
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T14:13:49.780425Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T14:14:23.539Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.39"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T04:13:33.609Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/9134",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/9134"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39"
            }
          ],
          "source": {
            "advisory": "GHSA-wrwh-c28m-9jjh",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41641",
        "datePublished": "2026-05-07T04:13:33.609Z",
        "dateReserved": "2026-04-21T23:58:43.801Z",
        "dateUpdated": "2026-05-07T14:14:23.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-41640 (GCVE-0-2026-41640)

    Vulnerability from cvelistv5 – Published: 2026-05-07 04:09 – Updated: 2026-05-07 12:55
    VLAI
    Title
    NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.39
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-41640",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-07T12:54:23.331234Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-07T12:55:04.738Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.39"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T04:09:59.264Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/9133",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/9133"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.39"
            }
          ],
          "source": {
            "advisory": "GHSA-4948-f92q-f432",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-41640",
        "datePublished": "2026-05-07T04:09:59.264Z",
        "dateReserved": "2026-04-21T23:58:43.801Z",
        "dateUpdated": "2026-05-07T12:55:04.738Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40346 (GCVE-0-2026-40346)

    Vulnerability from cvelistv5 – Published: 2026-04-17 23:54 – Updated: 2026-04-20 14:56
    VLAI
    Title
    NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40346",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-20T14:42:37.238641Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T14:56:12.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "@nocobase/plugin-workflow-request",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.37"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase\u0027s workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T23:54:34.829Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/9079",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/9079"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.37"
            }
          ],
          "source": {
            "advisory": "GHSA-mvvv-v22x-xqwp",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40346",
        "datePublished": "2026-04-17T23:54:34.829Z",
        "dateReserved": "2026-04-10T22:50:01.358Z",
        "dateUpdated": "2026-04-20T14:56:12.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34825 (GCVE-0-2026-34825)

    Vulnerability from cvelistv5 – Published: 2026-04-02 19:06 – Updated: 2026-04-03 12:56
    VLAI
    Title
    NocoBase Has SQL Injection via template variable substitution in workflow SQL node
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.30
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34825",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T12:56:37.627950Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T12:56:41.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.30"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-02T19:06:07.592Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
            },
            {
              "name": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"
            }
          ],
          "source": {
            "advisory": "GHSA-vx58-fwwq-5g8j",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Has SQL Injection via template variable substitution in workflow SQL node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34825",
        "datePublished": "2026-04-02T19:06:07.592Z",
        "dateReserved": "2026-03-30T20:52:53.283Z",
        "dateUpdated": "2026-04-03T12:56:41.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34156 (GCVE-0-2026-34156)

    Vulnerability from cvelistv5 – Published: 2026-03-31 13:33 – Updated: 2026-04-02 15:08
    VLAI
    Title
    NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
    Summary
    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-913 - Improper Control of Dynamically-Managed Code Resources
    Assigner
    Impacted products
    Vendor Product Version
    nocobase nocobase Affected: < 2.0.28
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34156",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-02T15:08:26.814719Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-02T15:08:38.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nocobase",
              "vendor": "nocobase",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.28"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase\u0027s Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-913",
                  "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T13:33:11.325Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c"
            },
            {
              "name": "https://github.com/nocobase/nocobase/pull/8967",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/pull/8967"
            },
            {
              "name": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.28"
            }
          ],
          "source": {
            "advisory": "GHSA-px3p-vgh9-m57c",
            "discovery": "UNKNOWN"
          },
          "title": "NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34156",
        "datePublished": "2026-03-31T13:33:11.325Z",
        "dateReserved": "2026-03-25T20:12:04.196Z",
        "dateUpdated": "2026-04-02T15:08:38.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }