NocoBase - SQL Injection

NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...

CVE-2026-41640 NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

GHSA-4948-F92Q-F432 @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...

EUVD-2014-9818

Malware in sbrugna...

PT-2025-40399

Name of the Vulnerable Software and Affected Versions YOSHOP 2.0 Description The software allows unauthorized disclosure of information through comment-list API endpoints within the Goods module. The Comment model loads the related User model without filtering specific fields. Due to the absence ...

CVE-2014-125127

The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service DoS attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application...

CVE-2014-125127

The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service DoS attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to eager loading of request bodies in the Request constructor. An attacker can cause excessive memory consumption and potentially exhaust server resources by sending requests with...

CVE-2014-125127

The CVE-2014-125127 entry concerns the mikecao/flight PHP framework. Affected versions prior to v1.2 are vulnerable to Denial of Service due to eager loading of request bodies in the Request constructor, causing the framework to read the entire body on every HTTP request and risking memory exhaus...

CVE-2014-125127 Denial of Service (DoS) vulnerability in mikecao/flight

The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service DoS attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application...

CVE-2014-125127 Denial of Service (DoS) vulnerability in mikecao/flight

The mikecao/flight PHP framework in versions prior to v1.2 is vulnerable to Denial of Service DoS attacks due to eager loading of request bodies in the Request class constructor. The framework automatically reads the entire request body on every HTTP request, regardless of whether the application...

PT-2025-35706

Name of the Vulnerable Software and Affected Versions: mikecao/flight versions prior to v1.2 Description: The mikecao/flight PHP framework is susceptible to Denial of Service DoS attacks. This is due to the eager loading of request bodies within the Request class constructor. The framework...

Flight 安全漏洞

Flight is a PHP microframework by Mike Cao's personal developer. A security vulnerability exists in versions prior to Flight v1.2, which stems from eager loading of the request body in the constructor of the Request class, which could lead to a denial-of-service attack...