Insufficient Session Expiration

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Insufficient Session Expiration through the ApiToken delete path in the token management code. An attacker can keep using a deleted API token by deleting it while the cache entry remains keyed under the token value,...

Authorization Bypass Through User-Controlled Key

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the McpTokenService.get, regenerateToken, and delete functions due to missing ownership validation for MCP tokens. An attacker with Creator role privileges can...

CVE-2026-28401 NocoDB: Stored Cross-Site Scripting via Rich Text Cells

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3...

Server-side Request Forgery (SSRF)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the uploadViaURL function in the attachments.service.ts file. An attacker can trigger outbound requests to arbitrary URLs by supplying crafted input to the process before validatio...

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Summary A stored Cross-site Scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because...

EUVD-2026-4870

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect open redirect vulnerability exists in NocoDB’s login flow due to missing validation of the continueAfterSignIn parameter. During authentication, NocoDB processes a user-controlled redirect...

CVE-2026-24766

NocoDB prior to 0.301.0 is affected by a prototype pollution in /api/v2/meta/connection/test. An authenticated user with org-level-creator permissions can trigger pollution that causes all database write operations to fail until the server is restarted. The issue bypasses SUPER_ADMIN checks but c...

EUVD-2024-1743

Malicious code in bioql PyPI...

EUVD-2023-2630

Malicious code in bioql PyPI...

EUVD-2022-6040

Malicious code in bioql PyPI...

EUVD-2022-27270

Malicious code in bioql PyPI...

CVE-2023-50717

NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site scripting attack...

Reflected Cross-Site Scripting (Reflected XSS)

NocoDB is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to the insecure usage of the EJS template engine, specifically the %- function in resetPassword.ts, which can directly renders unescaped user input, allowing malicious scripts to execute when processed ...

CVE-2025-27506

NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to...

GHSA-WF6C-HRHF-86CW NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

Summary The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. Details Throughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occur...

CVE-2023-35843

NocoDB through 0.106.0 or 0.109.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the...

NocoDB information disclosure vulnerability

In NocoDB prior to 0.91.7, the SMTP plugin doesn't have verification or validation. This allows attackers to make requests to internal servers and read the contents...