SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...

GHSA-4948-F92Q-F432 @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

GHSA-WRWH-C28M-9JJH @nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call

Summary The checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions...

SQL Injection

Overview @nocobase/plugin-collection-sql is a Provides SQL collection template Affected versions of this package are vulnerable to SQL Injection through the update handler in the collection SQL resource. An attacker can submit a malicious sql value while updating a SQL-backed collection and have ...

@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call

Summary The checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions...

PT-2026-34609

Name of the Vulnerable Software and Affected Versions @nocobase/database versions prior to 2.0.39 Description An issue exists in the queryParentSQL function within the core database package where a recursive CTE query is constructed by joining nodeIds using string concatenation instead of...

PT-2026-34610

Name of the Vulnerable Software and Affected Versions @nocobase/plugin-collection-sql versions prior to 2.0.39 Description An issue exists where the checkSQL validation function, designed to block dangerous SQL keywords such as pg read file, LOAD FILE, and dblink, is not applied to the...

CVE-2026-40346

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An...

Server-side Request Forgery (SSRF)

Overview @nocobase/plugin-workflow-request is a Send HTTP requests to any HTTP service for data interaction in workflow. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make server-side HTTP...

Server-side Request Forgery (SSRF)

Overview @nocobase/utils is a Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make server-side HTTP requests to user-supplied URLs without proper validation. An attacker can access internal networ...

@nocobase/acl (>=2.0.0 <=2.0.3), @nocobase/actions (>=2.0.0 <=2.0.36) +11 more potentially affected by CVE-2026-40346 via @nocobase/utils (>=2.0.0-alpha.10 <=2.0.36)

@nocobase/utils NPM version =2.0.0-alpha.10, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.36 Source cves: CVE-2026-40346 Source advisory: SNYK:JS-NOCOBASEUTILS-16117330...

CVE-2026-40346

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An...

Nocobase 安全漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of NocoBase prior to 2.0.37 contained security vulnerabilities. These vulnerabilities stemmed from the lack of SSRF protection when the workflow HTTP request plugin and custom request operation plugins initiated...

CVE-2026-40346 NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An...

CVE-2026-40346

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An...

CVE-2026-40346 NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An...

CVE-2026-40346

Summary: CVE-2026-40346 affects NocoBase prior to v2.0.37 via SSRF in the workflow HTTP request and custom request plugins. An authenticated user can trigger server-side HTTP requests to user-provided URLs, potentially reaching internal network services, cloud metadata endpoints, and localhost. R...

GHSA-MVVV-V22X-XQWP NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins

Summary NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Vulnerable Code 1. Workflow HTTP...

EUVD-2026-22122

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be...