Nocodb
Products
1- Nocodb58 CVEsnpm
Recent CVEs
58| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47387 | hig | 0.45 | — | 0.00 | Jun 5, 2026 | ### Summary The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with `editor` role (or above) on any base can plant a `javascript:` URL in the form's… | ||
| CVE-2026-47383 | hig | 0.45 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. ### Details The comment write paths persisted the raw comment body with no server-side sanitisation; the… | ||
| CVE-2023-35843 | 0.07 | — | 0.09 | Jun 19, 2023 | NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files… | |||
| CVE-2026-53931 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in `.csv` (for… | |||
| CVE-2026-53930 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (`file:`, `ftp:`, etc.) and probing of internal HTTP destinations. ### Details The `migrate` endpoint… | |||
| CVE-2026-53929 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or `.svg` attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. ### Details The signed attachment handler stored response-header overrides… | |||
| CVE-2026-53928 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated… | |||
| CVE-2026-53927 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be… | |||
| CVE-2026-53926 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users… | |||
| CVE-2026-47386 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid `(access_token, refresh_token)` pair, breaking the single-use guarantee that PKCE relies on. ### Details The token-exchange flow read `is_used` and called… | |||
| CVE-2026-47385 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. ### Details The SQLite client and the base/integration create services accepted a… | |||
| CVE-2026-47384 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. ### Details The bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()` aggregations that… | |||
| CVE-2026-47382 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and `localhost`) reached the driver. ### Details A new… | |||
| CVE-2026-47381 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary A user in one workspace could exercise another workspace's integration through the `testConnection` endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. ### Details… | |||
| CVE-2026-47380 | low | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a… | ||
| CVE-2026-47379 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was… | |||
| CVE-2026-47378 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction,… | |||
| CVE-2026-47377 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as… | |||
| CVE-2026-47376 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break… | |||
| CVE-2026-47375 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. The value is unrestricted by formula validation and embedded into a `knex.raw`… |
- risk 0.45cvss —epss 0.00
### Summary The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with `editor` role (or above) on any base can plant a `javascript:` URL in the form's…
- risk 0.45cvss —epss 0.00
### Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. ### Details The comment write paths persisted the raw comment body with no server-side sanitisation; the…
- CVE-2023-35843Jun 19, 2023risk 0.07cvss —epss 0.09
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files…
- CVE-2026-53931Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in `.csv` (for…
- CVE-2026-53930Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (`file:`, `ftp:`, etc.) and probing of internal HTTP destinations. ### Details The `migrate` endpoint…
- CVE-2026-53929Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or `.svg` attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. ### Details The signed attachment handler stored response-header overrides…
- CVE-2026-53928Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated…
- CVE-2026-53927Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be…
- CVE-2026-53926Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users…
- CVE-2026-47386Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid `(access_token, refresh_token)` pair, breaking the single-use guarantee that PKCE relies on. ### Details The token-exchange flow read `is_used` and called…
- CVE-2026-47385Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. ### Details The SQLite client and the base/integration create services accepted a…
- CVE-2026-47384Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. ### Details The bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()` aggregations that…
- CVE-2026-47382Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and `localhost`) reached the driver. ### Details A new…
- CVE-2026-47381Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary A user in one workspace could exercise another workspace's integration through the `testConnection` endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. ### Details…
- risk 0.00cvss —epss 0.00
### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a…
- CVE-2026-47379Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was…
- CVE-2026-47378Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction,…
- CVE-2026-47377Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as…
- CVE-2026-47376Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break…
- CVE-2026-47375Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. The value is unrestricted by formula validation and embedded into a `knex.raw`…