CVE-2026-41641

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

EUVD-2026-28318

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

EUVD-2026-28261

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

CVE-2026-41640

NocoBase CVE-2026-41640 describes an SQL injection in the core @nocobase/database package prior to v2.0.39. The vulnerable function queryParentSQL() builds a recursive CTE using string concatenation for nodeIds in a WHERE IN clause, allowing an authenticated attacker with record-creation permissi...

Nocobase SQL注入漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of NocoBase prior to 2.0.39 contained a SQL injection vulnerability. This vulnerability stemmed from the use of string concatenation rather than parameterized queries in the queryParentSQL function, which allowed for the...

SQL Injection

Overview @nocobase/plugin-collection-sql is a Provides SQL collection template Affected versions of this package are vulnerable to SQL Injection through the update handler in the collection SQL resource. An attacker can submit a malicious sql value while updating a SQL-backed collection and have ...

PT-2026-23097

Name of the Vulnerable Software and Affected Versions Locutus versions prior to 3.0.0 Description Locutus, a library designed to bring standard libraries from other programming languages to JavaScript for educational purposes, contains a remote code execution RCE flaw. This issue resides within t...

CVE-2026-25521 Locutus is vulnerable to Prototype Pollution

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input...

CVE-2025-12374 Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 - Authentication Bypass to Account Takeover

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generate...

CVE-2025-12374 Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.44 - Authentication Bypass to Account Takeover

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generate...

PT-2025-49228

Name of the Vulnerable Software and Affected Versions Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress versions up to and including 2.0.39 Description The plugin does not properly validate that an One-Time Passwo...

Yii2 代码问题漏洞

Yii2 is a fast, secure and professional PHP framework from Yii Open Source. A code issue vulnerability exists in Yii2 2.0.39 and earlier versions, which stems from a deserialization issue and could lead to remote attacks...

PT-2024-27579 · WordPress · Blocksy

Name of the Vulnerable Software and Affected Versions: Blocksy theme for WordPress versions up to, and including, 2.0.39 Description: The issue is related to Stored Cross-Site Scripting via the className parameter in the About Me block due to insufficient input sanitization and output escaping...

WordPress Blocksy Theme <= 2.0.39 is vulnerable to Cross Site Scripting (XSS)

Software Blocksy Type Theme Vulnerable versions = 2.0.39 Fixed in 2.0.40 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-3747 Patch priority Low CVSS severity Low 6.5 Developer Creative Themes PSID 3ec8e6a91460 Credits Ngô Thiên An ancorn Required...

PT-2022-26692 · Bkg · Bkg Professional Ntripcaster

Name of the Vulnerable Software and Affected Versions: BKG Professional NtripCaster version 2.0.39 Description: The issue allows querying information over the UDP protocol without authentication. The NTRIP sourcetable, which is typically quite long, can be requested with a small packet, presentin...

WordPress Stripe Payments 2.0.39 Cross Site Scripting

Exploit Title: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settingscurrencycode' Stored XSS Date: 04-01-2021 Software Link: https://wordpress.org/plugins/stripe-payments/developers Exploit Author: Park Won Seok Contact: [email protected] Category: Webapps Version:...

PT-2002-2572 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache versions 2.0.39 through 2.0.40 Description: The issue allows local users and possibly remote attackers to cause a denial of service, resulting in hang and memory consumption. This occurs when a CGI script sends a large amount of data t...