Lucene search
K

26 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.10 views

CVE-2026-41640

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

8.8CVSS5.7AI score0.01875EPSS
Exploits1References1
NVD
NVD
added 2026/05/07 6:16 a.m.23 views

CVE-2026-41641

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

7.2CVSS0.01833EPSS
Exploits1References4
NVD
NVD
added 2026/05/07 4:16 a.m.9 views

CVE-2026-41640

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

8.8CVSS0.01875EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/07 4:13 a.m.29 views

EUVD-2026-28318

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

7.2CVSS6AI score0.01833EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/07 4:9 a.m.26 views

EUVD-2026-28261

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

7.5CVSS6AI score0.01875EPSS
Exploits1References4
CVE
CVE
added 2026/05/07 4:9 a.m.27 views

CVE-2026-41640

NocoBase CVE-2026-41640 describes an SQL injection in the core @nocobase/database package prior to v2.0.39. The vulnerable function queryParentSQL() builds a recursive CTE using string concatenation for nodeIds in a WHERE IN clause, allowing an authenticated attacker with record-creation permissi...

8.8CVSS6AI score0.01875EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.8 views

Nocobase SQL注入漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of NocoBase prior to 2.0.39 contained a SQL injection vulnerability. This vulnerability stemmed from the use of string concatenation rather than parameterized queries in the queryParentSQL function, which allowed for the...

8.8CVSS5.8AI score0.01875EPSS
Exploits1References1
Snyk
Snyk
added 2026/04/22 8:7 p.m.7 views

SQL Injection

Overview @nocobase/plugin-collection-sql is a Provides SQL collection template Affected versions of this package are vulnerable to SQL Injection through the update handler in the collection SQL resource. An attacker can submit a malicious sql value while updating a SQL-backed collection and have ...

8.6CVSS5.9AI score0.01833EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/03/27 5:57 p.m.9 views

1dr-twig-templating (=1.0.2), 433bf (=0.0.1) +953 more potentially affected by CVE-2026-33993 via locutus (>=2.0.10 <=2.0.39)

locutus NPM version =2.0.10, =0.0.1, =0.0.1, =1.0.2, =1.0.5, =0.0.1, =0.1.0, =1.0.0, =0.2.0, =0.9.0-rc.0 - @alchmy/generator-alchmy =0.0.206147191 and more Source cves: CVE-2026-33993 Source advisory: OSV:GHSA-4MPH-V827-F877...

9.8CVSS5.7AI score0.00583EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.4 views

PT-2026-23097

Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.0 Description Locutus, a library designed to bring standard libraries from other programming languages to JavaScript for educational purposes, contains a remote code execution RCE flaw. This issue resides within t...

8.1CVSS6.5AI score0.00786EPSS
Exploits1References14
NVD
NVD
added 2026/02/04 10:15 p.m.4 views

CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input...

9.4CVSS0.00261EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/02/04 9:20 p.m.23 views

CVE-2026-25521 Locutus is vulnerable to Prototype Pollution

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input...

9.4CVSS0.00261EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/04 9:20 p.m.3 views

CVE-2026-25521 Locutus is vulnerable to Prototype Pollution

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input...

9.4CVSS5.4AI score0.00261EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/02/02 12:0 a.m.5 views

PT-2026-6481

Summary A Prototype Pollution vulnerability exists in the the npm package locutus 2.0.12. Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using...

9.4CVSS6.2AI score0.00261EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2025/12/05 6:7 a.m.3 views

CVE-2025-12374 Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 - Authentication Bypass to Account Takeover

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generate...

9.8CVSS5.8AI score0.00433EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/12/05 6:7 a.m.25 views

CVE-2025-12374 Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.44 - Authentication Bypass to Account Takeover

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generate...

9.8CVSS0.00433EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/12/05 12:0 a.m.5 views

PT-2025-49228

Name of the Vulnerable Software and Affected Versions Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress versions up to and including 2.0.39 Description The plugin does not properly validate that an One-Time Passwo...

9.8CVSS6.3AI score0.00433EPSS
Exploits0References11
CNNVD
CNNVD
added 2025/03/24 12:0 a.m.3 views

Yii2 代码问题漏洞

Yii2 is a fast, secure and professional PHP framework from Yii Open Source. A code issue vulnerability exists in Yii2 2.0.39 and earlier versions, which stems from a deserialization issue and could lead to remote attacks...

9.8CVSS6.6AI score0.00599EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2024/05/02 12:0 a.m.4 views

PT-2024-27579 · WordPress · Blocksy

Name of the Vulnerable Software and Affected Versions: Blocksy theme for WordPress versions up to, and including, 2.0.39 Description: The issue is related to Stored Cross-Site Scripting via the className parameter in the About Me block due to insufficient input sanitization and output escaping...

6.4CVSS6AI score0.00423EPSS
Exploits0References5
Patchstack
Patchstack
added 2024/04/25 12:0 a.m.8 views

WordPress Blocksy Theme <= 2.0.39 is vulnerable to Cross Site Scripting (XSS)

Software Blocksy Type Theme Vulnerable versions = 2.0.39 Fixed in 2.0.40 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-3747 Patch priority Low CVSS severity Low 6.5 Developer Creative Themes PSID 3ec8e6a91460 Credits Ngô Thiên An ancorn Required...

6.4CVSS5.8AI score0.00423EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder