VYPR
Vendor

Nocobase

Products
3
CVEs
7
Across products
7
Status
Private

Products

3

Recent CVEs

7
  • CVE-2026-34156CriMar 31, 2026
    risk 0.63cvss 9.9epss 0.36

    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by…

  • CVE-2026-41640HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.02

    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation…

  • CVE-2026-41641HigMay 7, 2026
    risk 0.40cvss 7.2epss 0.02

    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the…

  • CVE-2026-6224HigApr 13, 2026
    risk 0.40cvss 7.3epss 0.00

    A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The…

  • CVE-2026-40346MedApr 18, 2026
    risk 0.35cvss 6.5epss 0.00

    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any…

  • CVE-2026-34825MedApr 2, 2026
    risk 0.35cvss 6.5epss 0.00

    NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or…

  • CVE-2025-13877MedDec 2, 2025
    risk 0.29cvss 5.6epss 0.00

    A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded…