NocoBase - VM Sandbox Escape to Remote Code Execution

NocoBase Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist controlled by WORKFLOWSCRIPTMODULES env var. The console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console.stdout and...

NocoBase - SQL Injection

NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...

NocoBase - SQL Injection

NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates. id:...

Remote Code Execution (RCE)

@nocobase/plugin-workflow-javascript is vulnerable to Remote Code Execution. The vulnerability is due to improper sandbox isolation in the Workflow Script Node, where the exposed console object allows access to host-realm WritableWorkerStdio stream objects via console.stdout and console.stderr,...

📄 NocoBase 2.0.27 VM Sandbox Escape

NocoBase versions 2.0.27 and below VM sandbox escape exploit. Exploit Title: NocoBase 2.0.27 - VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Genç Vendor Homepage: https://www.nocobase.com/ Software Link: https://github.com/nocobase/nocobase Version: = 2.0.27 — patched in 2.0.28 Teste...

CVE-2026-41641

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

CVE-2026-41640

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

CVE-2026-41641 NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

EUVD-2026-28318

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

CVE-2026-41640 NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

CVE-2026-41640 NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

Nocobase SQL注入漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of Nocobase prior to 2.0.39 contained a SQL injection vulnerability. This vulnerability stemmed from the lack of checkSQL validation for the sqlCollection:update endpoint, which could allow attackers with collection...

Nocobase SQL注入漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of NocoBase prior to 2.0.39 contained a SQL injection vulnerability. This vulnerability stemmed from the use of string concatenation rather than parameterized queries in the queryParentSQL function, which allowed for the...

NocoBase 2.0.27 - VM Sandbox Escape

Exploit Title: NocoBase 2.0.27 - VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Genç Vendor Homepage: https://www.nocobase.com/ Software Link: https://github.com/nocobase/nocobase Version: -u -P --cmd "id"...

📄 NocoBase 2.0.27 Sandbox Escape / Remote Code Execution

This code is a Metasploit Auxiliary module designed to exploit a remote code execution vulnerability in NocoBase versions 2.0.27 and below. It targets a flaw in the server-side script execution engine flownodes that allows breaking out of the JavaScript sandbox...

@nocobase/actions (>=2.0.0 <=2.0.38), @nocobase/auth (>=2.0.0 <=2.0.38) +4 more potentially affected by CVE-2026-41640 via @nocobase/database (>=2.0.0-alpha.10 <=2.0.38)

@nocobase/database NPM version =2.0.0-alpha.10, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.38 Source cves: CVE-2026-41640 Source advisory: SNYK:JS-NOCOBASEDATABASE-16421470...

GHSA-4948-F92Q-F432 @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

@nocobase/actions (>=0.4.0-alpha.1 <=2.0.38), @nocobase/api (>=0.4.0-alpha.1 <=0.4.0-alpha.7) +37 more potentially affected by CVE-2026-41640 via @nocobase/database (>=0.10.0-alpha.2 <=2.0.38)

@nocobase/database NPM version =0.10.0-alpha.2, =0.4.0-alpha.1, =0.4.0-alpha.1, =0.14.0-alpha.4, =0.7.0-alpha.1, =0.10.0-alpha.2, =0.14.0-alpha.4, =0.20.0-alpha.1, =0.18.0-alpha.1, =0.7.0-alpha.1, =0.4.0-alpha.1, =0.7.1-alpha.4, =0.10.1-alpha.1, =0.4.0-alpha.1, =0.4.0-alpha.1, =0.10.1-alpha.1 and...

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...