Vendor CVEs
Nocodb
All CVEs
58 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47387 | hig | 0.45 | — | 0.00 | Jun 5, 2026 | ### Summary The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with `editor` role (or above) on any base can plant a `javascript:` URL in the form's… | ||
| CVE-2026-47383 | hig | 0.45 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. ### Details The comment write paths persisted the raw comment body with no server-side sanitisation; the… | ||
| CVE-2023-35843 | 0.07 | — | 0.09 | Jun 19, 2023 | NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files… | |||
| CVE-2026-53931 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in `.csv` (for… | |||
| CVE-2026-53930 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (`file:`, `ftp:`, etc.) and probing of internal HTTP destinations. ### Details The `migrate` endpoint… | |||
| CVE-2026-53929 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or `.svg` attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. ### Details The signed attachment handler stored response-header overrides… | |||
| CVE-2026-53928 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated… | |||
| CVE-2026-53927 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be… | |||
| CVE-2026-53926 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users… | |||
| CVE-2026-47386 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid `(access_token, refresh_token)` pair, breaking the single-use guarantee that PKCE relies on. ### Details The token-exchange flow read `is_used` and called… | |||
| CVE-2026-47385 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. ### Details The SQLite client and the base/integration create services accepted a… | |||
| CVE-2026-47384 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. ### Details The bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()` aggregations that… | |||
| CVE-2026-47382 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and `localhost`) reached the driver. ### Details A new… | |||
| CVE-2026-47381 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary A user in one workspace could exercise another workspace's integration through the `testConnection` endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. ### Details… | |||
| CVE-2026-47380 | low | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a… | ||
| CVE-2026-47379 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was… | |||
| CVE-2026-47378 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction,… | |||
| CVE-2026-47377 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as… | |||
| CVE-2026-47376 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break… | |||
| CVE-2026-47375 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. The value is unrestricted by formula validation and embedded into a `knex.raw`… | |||
| CVE-2026-47279 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view… | |||
| CVE-2026-46554 | low | 0.00 | — | 0.00 | May 21, 2026 | ### Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. ### Details The API token deletion path removed the database row but did not evict the token-value… | ||
| CVE-2026-46553 | low | 0.00 | — | 0.00 | May 21, 2026 | ### Summary The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` against either the remote file's advertised `Content-Length` or the decoded length of a `data:` URI, allowing an authenticated user to bypass the configured per-file size limit. ### Details The… | ||
| CVE-2026-46552 | 0.00 | — | 0.00 | May 21, 2026 | ### Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited… | |||
| CVE-2026-46551 | 0.00 | — | 0.00 | May 21, 2026 | ### Summary The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting… | |||
| CVE-2026-46550 | 0.00 | — | 0.00 | May 21, 2026 | ### Summary The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF… | |||
| CVE-2026-46549 | low | 0.00 | — | 0.00 | May 21, 2026 | ### Summary The OAuth token strategy attached `oauth_scope` and `oauth_granted_resources` to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying… | ||
| CVE-2026-46548 | 0.00 | — | 0.00 | May 21, 2026 | ### Summary The `request-filtering-agent` SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because `httpAgent` / `httpsAgent` were passed as part of the request **body** rather than the axios **config**. An… | |||
| CVE-2026-46547 | 0.00 | — | 0.00 | May 21, 2026 | ### Summary A reflected XSS vulnerability exists in the Page Leaving Warning page. The `ncRedirectUrl` and `ncBackUrl` query parameters are used in `window.location.href` and `` tag bindings without validation, allowing `javascript:` URI injection. ### Details… | |||
| CVE-2026-28401 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3. | |||
| CVE-2026-28399 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3. | |||
| CVE-2026-28398 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3. | |||
| CVE-2026-28397 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3. | |||
| CVE-2026-28396 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.… | |||
| CVE-2026-28361 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has… | |||
| CVE-2026-28360 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3. | |||
| CVE-2026-28359 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version… | |||
| CVE-2026-28358 | 0.00 | — | 0.01 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3. | |||
| CVE-2026-28357 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This… | |||
| CVE-2026-24769 | 0.00 | — | 0.00 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are… | |||
| CVE-2026-24768 | 0.00 | — | 0.00 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a… | |||
| CVE-2026-24767 | 0.00 | — | 0.00 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly… | |||
| CVE-2026-24766 | 0.00 | — | 0.00 | Jan 28, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail… | |||
| CVE-2025-27506 | 0.00 | — | 0.01 | Mar 6, 2025 | NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw… | |||
| CVE-2023-49781 | 0.00 | — | 0.01 | May 13, 2024 | NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls"… | |||
| CVE-2023-50718 | 0.00 | — | 0.01 | May 13, 2024 | NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the… | |||
| CVE-2023-50717 | 0.00 | — | 0.01 | May 13, 2024 | NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site… | |||
| CVE-2023-43794 | 0.00 | — | 0.01 | Oct 17, 2023 | Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can… | |||
| CVE-2023-5104 | 0.00 | — | 0.01 | Sep 21, 2023 | Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0. | |||
| CVE-2022-3423 | 0.00 | — | 0.02 | Oct 7, 2022 | Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0. |
- risk 0.45cvss —epss 0.00
### Summary The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with `editor` role (or above) on any base can plant a `javascript:` URL in the form's…
- risk 0.45cvss —epss 0.00
### Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. ### Details The comment write paths persisted the raw comment body with no server-side sanitisation; the…
- CVE-2023-35843Jun 19, 2023risk 0.07cvss —epss 0.09
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files…
- CVE-2026-53931Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The spreadsheet-import endpoint `axiosRequestMake` could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in `.csv` (for…
- CVE-2026-53930Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (`file:`, `ftp:`, etc.) and probing of internal HTTP destinations. ### Details The `migrate` endpoint…
- CVE-2026-53929Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary With `NC_SECURE_ATTACHMENTS=true`, an authenticated uploader could deliver `.html` or `.svg` attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. ### Details The signed attachment handler stored response-header overrides…
- CVE-2026-53928Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated…
- CVE-2026-53927Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary The spreadsheet-fetch endpoint (`axiosRequestMake`) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted `127.0.0.0/8` and `169.254.0.0/16`, allowing the cloud-metadata endpoint to be…
- CVE-2026-53926Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users…
- CVE-2026-47386Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary Two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid `(access_token, refresh_token)` pair, breaking the single-use guarantee that PKCE relies on. ### Details The token-exchange flow read `is_used` and called…
- CVE-2026-47385Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. ### Details The SQLite client and the base/integration create services accepted a…
- CVE-2026-47384Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. ### Details The bulk groupBy path in `group-by.ts` builds three database-specific `knex.raw()` aggregations that…
- CVE-2026-47382Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and `localhost`) reached the driver. ### Details A new…
- CVE-2026-47381Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary A user in one workspace could exercise another workspace's integration through the `testConnection` endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. ### Details…
- risk 0.00cvss —epss 0.00
### Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. ### Details The unknown-user branch in `auth.service.ts` now performs a `bcrypt.compare` against a…
- CVE-2026-47379Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The shared-view password check fell back to strict-equality (`===`) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. ### Details The bcrypt branch (hashes starting with `$2a$`/`$2b$`) was…
- CVE-2026-47378Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction,…
- CVE-2026-47377Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as…
- CVE-2026-47376Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break…
- CVE-2026-47375Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. The value is unrestricted by formula validation and embedded into a `knex.raw`…
- CVE-2026-47279Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view…
- risk 0.00cvss —epss 0.00
### Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. ### Details The API token deletion path removed the database row but did not evict the token-value…
- risk 0.00cvss —epss 0.00
### Summary The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` against either the remote file's advertised `Content-Length` or the decoded length of a `data:` URI, allowing an authenticated user to bypass the configured per-file size limit. ### Details The…
- CVE-2026-46552May 21, 2026risk 0.00cvss —epss 0.00
### Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited…
- CVE-2026-46551May 21, 2026risk 0.00cvss —epss 0.00
### Summary The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting…
- CVE-2026-46550May 21, 2026risk 0.00cvss —epss 0.00
### Summary The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF…
- risk 0.00cvss —epss 0.00
### Summary The OAuth token strategy attached `oauth_scope` and `oauth_granted_resources` to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying…
- CVE-2026-46548May 21, 2026risk 0.00cvss —epss 0.00
### Summary The `request-filtering-agent` SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because `httpAgent` / `httpsAgent` were passed as part of the request **body** rather than the axios **config**. An…
- CVE-2026-46547May 21, 2026risk 0.00cvss —epss 0.00
### Summary A reflected XSS vulnerability exists in the Page Leaving Warning page. The `ncRedirectUrl` and `ncBackUrl` query parameters are used in `window.location.href` and `` tag bindings without validation, allowing `javascript:` URI injection. ### Details…
- CVE-2026-28401Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3.
- CVE-2026-28399Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.
- CVE-2026-28398Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3.
- CVE-2026-28397Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3.
- CVE-2026-28396Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.…
- CVE-2026-28361Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has…
- CVE-2026-28360Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
- CVE-2026-28359Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version…
- CVE-2026-28358Mar 2, 2026risk 0.00cvss —epss 0.01
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
- CVE-2026-28357Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This…
- CVE-2026-24769Jan 28, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are…
- CVE-2026-24768Jan 28, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a…
- CVE-2026-24767Jan 28, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly…
- CVE-2026-24766Jan 28, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail…
- CVE-2025-27506Mar 6, 2025risk 0.00cvss —epss 0.01
NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw…
- CVE-2023-49781May 13, 2024risk 0.00cvss —epss 0.01
NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls"…
- CVE-2023-50718May 13, 2024risk 0.00cvss —epss 0.01
NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the…
- CVE-2023-50717May 13, 2024risk 0.00cvss —epss 0.01
NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site…
- CVE-2023-43794Oct 17, 2023risk 0.00cvss —epss 0.01
Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can…
- CVE-2023-5104Sep 21, 2023risk 0.00cvss —epss 0.01
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
- CVE-2022-3423Oct 7, 2022risk 0.00cvss —epss 0.02
Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0.
Page 1 of 2