CVE-2026-47385

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration creat...

CVE-2026-47386

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...

CVE-2026-47384

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific...

Server-side Request Forgery (SSRF)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the connection-test endpoint. An authenticated attacker can access internal network resources by supplying a crafted database host value when testing database connections...

User Impersonation

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to User Impersonation via the testConnection endpoint when the integration is fetched in a bypass scope and permission checks are insufficiently scoped to the integration's workspace. An attacker can gain unauthorized...

Insufficient Session Expiration

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Insufficient Session Expiration through the ApiToken delete path in the token management code. An attacker can keep using a deleted API token by deleting it while the cache entry remains keyed under the token value,...

Authorization Bypass Through User-Controlled Key

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the McpTokenService.get, regenerateToken, and delete functions due to missing ownership validation for MCP tokens. An attacker with Creator role privileges can...

CVE-2026-28401 NocoDB: Stored Cross-Site Scripting via Rich Text Cells

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3...

Server-side Request Forgery (SSRF)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the uploadViaURL function in the attachments.service.ts file. An attacker can trigger outbound requests to arbitrary URLs by supplying crafted input to the process before validatio...

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Summary A stored Cross-site Scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because...

EUVD-2026-4870

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect open redirect vulnerability exists in NocoDB’s login flow due to missing validation of the continueAfterSignIn parameter. During authentication, NocoDB processes a user-controlled redirect...

CVE-2026-24766

NocoDB prior to 0.301.0 is affected by a prototype pollution in /api/v2/meta/connection/test. An authenticated user with org-level-creator permissions can trigger pollution that causes all database write operations to fail until the server is restarted. The issue bypasses SUPER_ADMIN checks but c...

EUVD-2022-27270

Malicious code in bioql PyPI...

EUVD-2023-2630

Malicious code in bioql PyPI...

EUVD-2022-6040

Malicious code in bioql PyPI...

EUVD-2024-1743

Malicious code in bioql PyPI...

CVE-2023-50717

NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site scripting attack...

Reflected Cross-Site Scripting (Reflected XSS)

NocoDB is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to the insecure usage of the EJS template engine, specifically the %- function in resetPassword.ts, which can directly renders unescaped user input, allowing malicious scripts to execute when processed ...

CVE-2025-27506

NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to...

GHSA-WF6C-HRHF-86CW NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

Summary The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. Details Throughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occur...