npm package
nocodb
pkg:npm/nocodb
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-28401 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3. | ||
| CVE-2026-28399 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3. | ||
| CVE-2026-28398 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3. | ||
| CVE-2026-28397 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3. | ||
| CVE-2026-28396 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. | ||
| CVE-2026-28361 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has | ||
| CVE-2026-28360 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3. | ||
| CVE-2026-28359 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301 | ||
| CVE-2026-28358 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3. | ||
| CVE-2026-28357 | — | < 0.301.3 | 0.301.3 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This is | ||
| CVE-2026-24769 | — | < 0.301.0 | 0.301.0 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are la | ||
| CVE-2026-24768 | — | < 0.301.0 | 0.301.0 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a use | ||
| CVE-2026-24767 | — | < 0.301.0 | 0.301.0 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enfor | ||
| CVE-2026-24766 | — | < 0.301.0 | 0.301.0 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application- | ||
| CVE-2025-27506 | — | < 0.258.0 | 0.258.0 | Mar 6, 2025 | NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occur | ||
| CVE-2023-49781 | — | < 0.202.9 | 0.202.9 | May 13, 2024 | NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" wh | ||
| CVE-2023-50718 | — | < 0.202.10 | 0.202.10 | May 13, 2024 | NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the data | ||
| CVE-2023-50717 | — | >= 0.202.6, < 0.202.10 | 0.202.10 | May 13, 2024 | NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site | ||
| CVE-2023-43794 | — | < 0.111.0 | 0.111.0 | Oct 17, 2023 | Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inje | ||
| CVE-2023-5104 | — | < 0.96.0 | 0.96.0 | Sep 21, 2023 | Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0. |
- CVE-2026-28401Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3.
- CVE-2026-28399Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.
- CVE-2026-28398Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3.
- CVE-2026-28397Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3.
- CVE-2026-28396Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.
- CVE-2026-28361Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has
- CVE-2026-28360Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
- CVE-2026-28359Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301
- CVE-2026-28358Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
- CVE-2026-28357Mar 2, 2026affected < 0.301.3fixed 0.301.3
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This is
- CVE-2026-24769Jan 28, 2026affected < 0.301.0fixed 0.301.0
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are la
- CVE-2026-24768Jan 28, 2026affected < 0.301.0fixed 0.301.0
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a use
- CVE-2026-24767Jan 28, 2026affected < 0.301.0fixed 0.301.0
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enfor
- CVE-2026-24766Jan 28, 2026affected < 0.301.0fixed 0.301.0
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-
- CVE-2025-27506Mar 6, 2025affected < 0.258.0fixed 0.258.0
NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occur
- CVE-2023-49781May 13, 2024affected < 0.202.9fixed 0.202.9
NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" wh
- CVE-2023-50718May 13, 2024affected < 0.202.10fixed 0.202.10
NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the data
- CVE-2023-50717May 13, 2024affected >= 0.202.6, < 0.202.10fixed 0.202.10
NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site
- CVE-2023-43794Oct 17, 2023affected < 0.111.0fixed 0.111.0
Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inje
- CVE-2023-5104Sep 21, 2023affected < 0.96.0fixed 0.96.0
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
Page 1 of 2