VYPR

Nocodb

by Nocodb

npm: nocodb

Source repositories

CVEs (58)

  • CVE-2026-47387higJun 5, 2026
    risk 0.45cvss epss 0.00

    ### Summary The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with `editor` role (or above) on any base can plant a `javascript:` URL in the form's…

  • CVE-2026-47383higJun 5, 2026
    risk 0.45cvss epss 0.00

    ### Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. ### Details The comment write paths persisted the raw comment body with no server-side sanitisation; the…

  • CVE-2023-35843Jun 19, 2023
    risk 0.07cvss epss 0.09

    NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files…

  • CVE-2026-53931Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in `.csv` (for…

  • CVE-2026-53930Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (`file:`, `ftp:`, etc.) and probing of internal HTTP destinations. ### Details The `migrate` endpoint…

  • CVE-2026-53929Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or `.svg` attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. ### Details The signed attachment handler stored response-header overrides…

  • CVE-2026-53928Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated…

  • CVE-2026-53927Jun 17, 2026
    risk 0.00cvss epss 0.00

    ### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be…

  • CVE-2026-53926Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users…

  • CVE-2026-47386Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid `(access_token, refresh_token)` pair, breaking the single-use guarantee that PKCE relies on. ### Details The token-exchange flow read `is_used` and called…

  • CVE-2026-47385Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. ### Details The SQLite client and the base/integration create services accepted a…

  • CVE-2026-47384Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. ### Details The bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()` aggregations that…

  • CVE-2026-47382Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and `localhost`) reached the driver. ### Details A new…

  • CVE-2026-47381Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary A user in one workspace could exercise another workspace's integration through the `testConnection` endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. ### Details…

  • CVE-2026-47380lowJun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a…

  • CVE-2026-47379Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was…

  • CVE-2026-47378Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction,…

  • CVE-2026-47377Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as…

  • CVE-2026-47376Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break…

  • CVE-2026-47375Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Summary An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. The value is unrestricted by formula validation and embedded into a `knex.raw`…

Page 1 of 3