Skip to main content

Nocobase

4 CVEs product

Monthly

CVE-2026-55410 MEDIUM PATCH This Month

Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user to execute arbitrary OS commands as the NocoBase server process by restoring a crafted backup archive. The database.schema field from a backup's _metadata.json is interpolated directly into a shell command string passed to Node.js child_process.exec(), a classic CWE-78 pattern that bypasses any sanitization at the shell level. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the commit diff confirms the mechanism is straightforward and the fix is available in v2.1.19.

Node.js Command Injection PostgreSQL Nocobase
NVD GitHub
CVSS 3.1
6.7
CVE-2026-52887 CRITICAL PATCH Act Now

SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticated user reach GET /api/myInAppChannels:list and inject into the filter[latestMsgReceiveTimestamp][$lt] parameter, which is concatenated into a Sequelize.literal() template with no escaping or parameter binding. Because PostgreSQL permits stacked statements through this sink, an attacker can run arbitrary SQL and escalate to operating-system command execution via COPY ... TO PROGRAM. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the code fix and regression tests are public in the vendor commit, and the vendor rates it CVSS 10.0.

SQLi PostgreSQL Nocobase
NVD GitHub
CVSS 3.1
10.0
CVE-2026-52888 MEDIUM PATCH This Month

PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; a vendor-released patch is available in v2.1.0-alpha.46.

Information Disclosure PostgreSQL Nocobase
NVD GitHub
CVSS 3.1
6.8
CVE-2026-58468 MEDIUM POC This Month

Server-side request forgery in NocoBase through v2.1.20 allows authenticated administrators to issue arbitrary outbound HTTP requests via the serverRequest wrapper, enabling internal network enumeration and cloud instance metadata exfiltration. The attack surface spans workflow request nodes, custom request action buttons, and the AI plugin - all of which accept administrator-supplied URLs without adequate server-side validation. A publicly available proof-of-concept exists per VulnCheck reporting; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis, though the IAM credential theft potential elevates real-world impact significantly for cloud-hosted deployments.

SSRF Nocobase
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVSS 6.7
MEDIUM PATCH This Month

Command injection in NocoBase's @nocobase/plugin-backups prior to v2.1.19 allows an authenticated backup-management user to execute arbitrary OS commands as the NocoBase server process by restoring a crafted backup archive. The database.schema field from a backup's _metadata.json is interpolated directly into a shell command string passed to Node.js child_process.exec(), a classic CWE-78 pattern that bypasses any sanitization at the shell level. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, but the commit diff confirms the mechanism is straightforward and the fix is available in v2.1.19.

Node.js Command Injection PostgreSQL +1
NVD GitHub
CVSS 10.0
CRITICAL PATCH Act Now

SQL injection in NocoBase's @nocobase/plugin-notification-in-app-message (before 2.0.61) lets any signed-up authenticated user reach GET /api/myInAppChannels:list and inject into the filter[latestMsgReceiveTimestamp][$lt] parameter, which is concatenated into a Sequelize.literal() template with no escaping or parameter binding. Because PostgreSQL permits stacked statements through this sink, an attacker can run arbitrary SQL and escalate to operating-system command execution via COPY ... TO PROGRAM. No public exploit identified at time of analysis and the flaw is not in CISA KEV, but the code fix and regression tests are public in the vendor commit, and the vendor rates it CVSS 10.0.

SQLi PostgreSQL Nocobase
NVD GitHub
CVSS 6.8
MEDIUM PATCH This Month

PostgreSQL password hash disclosure in NocoBase 2.0.59 and earlier allows an authenticated administrator to extract pg_shadow credential hashes and database metadata by submitting raw SQL queries that reference system catalog tables omitted from the checkSQL() keyword blacklist. The SQL Collection plugin's blocklist-based validation failed to restrict pg_shadow, pg_roles, pg_stat_activity, and information_schema, and the commit diff confirms the bypass also worked via subquery wrapping (e.g., SELECT * FROM (SELECT usename, passwd FROM pg_shadow) AS passwords). No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; a vendor-released patch is available in v2.1.0-alpha.46.

Information Disclosure PostgreSQL Nocobase
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Server-side request forgery in NocoBase through v2.1.20 allows authenticated administrators to issue arbitrary outbound HTTP requests via the serverRequest wrapper, enabling internal network enumeration and cloud instance metadata exfiltration. The attack surface spans workflow request nodes, custom request action buttons, and the AI plugin - all of which accept administrator-supplied URLs without adequate server-side validation. A publicly available proof-of-concept exists per VulnCheck reporting; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis, though the IAM credential theft potential elevates real-world impact significantly for cloud-hosted deployments.

SSRF Nocobase
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy