CVE-2026-52887
NocoBase before version 2.0.61 is affected by CVE-2026-52887 due to a SQL injection in the in-app notification plugin. The flaw occurs in GET /api/myInAppChannels:list where filter[latestMsgReceiveTimestamp][$lt] is interpolated into a Sequelize.literal() without escaping or parameter binding, en...