Lucene search
K

25 matches found

NVD
NVD
added 2026/06/23 9:17 p.m.9 views

CVE-2026-53926

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or...

6.3CVSS0.00295EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 9:17 p.m.12 views

CVE-2026-47382

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses including IPv4-mapped IPv6 forms and...

5.3CVSS0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 8:40 p.m.30 views

CVE-2026-46549 NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauthscope and oauthgrantedresources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope e.g. MCP-only therefore inherited...

2CVSS0.00151EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 8:15 p.m.23 views

CVE-2026-47384

CVE-2026-47384 – NocoDB SQL Injection via Column Title in Bulk GroupBy : An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column title to a SQL fragment. The vulnerable code path builds three database-specific knex.raw() aggregations t...

5.3CVSS5.9AI score0.00306EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:12 p.m.6 views

CVE-2026-47386

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...

6.3CVSS5.9AI score0.00197EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/05/21 8:34 p.m.11 views

Server-side Request Forgery (SSRF)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the sendMessage methods in the Discord, Mattermost, Slack, and Teams webhook adapters. An attacker can make the server send requests to attacker-controlled URLs by supplying a...

6.4CVSS5.9AI score0.00176EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/04 1:56 a.m.7 views

CVE-2026-28359

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...

5.4CVSS5.9AI score0.00147EPSS
Exploits0References1
OSV
OSV
added 2026/03/03 8:58 p.m.5 views

GHSA-8VM4-G489-V3W7 NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

Summary User-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. Details Comments in Comments.vue and rich text in TextArea.vue were parsed by markdown-it with html: true and injected via v-html. The codebase had vue-dompurify-html...

5.3CVSS5.9AI score0.00143EPSS
Exploits0References4
OSV
OSV
added 2026/03/02 7:42 p.m.5 views

GHSA-387M-J3P9-3PHP NocoDB Vulnerable to User Enumeration via Password Reset Endpoint

Summary The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. Details POST /api/v2/auth/password/forgot returned a success message for registered emails but 'Your email has not been registered.' for unknown emails. The fix...

6.9CVSS5.9AI score0.00601EPSS
Exploits0References4
OSV
OSV
added 2026/03/02 4:20 p.m.3 views

CVE-2026-28401 NocoDB: Stored Cross-Site Scripting via Rich Text Cells

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3...

5.3CVSS5.8AI score0.00179EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/02 4:19 p.m.38 views

CVE-2026-28399 NocoDB: SQL Injection via DATEADD Formula

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3...

8.6CVSS0.00319EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/02 4:19 p.m.6 views

CVE-2026-28398

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3...

5.4CVSS5.8AI score0.00143EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/02 4:19 p.m.4 views

CVE-2026-28397 NocoDB: Stored Cross-Site Scripting via Comments

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3...

5.3CVSS5.8AI score0.00179EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/02 4:16 p.m.21 views

CVE-2026-28357 NocoDB: Stored Cross-Site Scripting via Formula Cell

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI:: patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patche...

5.3CVSS0.00143EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/02 4:16 p.m.4 views

CVE-2026-28357 NocoDB: Stored Cross-Site Scripting via Formula Cell

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI:: patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patche...

5.3CVSS5.8AI score0.00143EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/02 12:0 a.m.6 views

NocoDB 跨站脚本漏洞

NocoDB is an open-source alternative to Airtable. It converts any MySQL, PostgreSQL, SQL Server, SQLite, and MariaDB databases into intelligent spreadsheets. Versions of NocoDB prior to 0.301.3 had a cross-site scripting vulnerability. This vulnerability occurred due to the lack of cleanup during...

5.4CVSS5.7AI score0.00143EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/02 12:0 a.m.9 views

NocoDB 安全漏洞

NocoDB is an open-source alternative to Airtable. It converts any MySQL, PostgreSQL, SQL Server, SQLite, and MariaDB databases into intelligent spreadsheets. Versions of NocoDB prior to 0.301.3 contained a security vulnerability. This vulnerability stemmed from the lack of verification of token...

7.1CVSS5.8AI score0.0016EPSS
Exploits0References2
Veracode
Veracode
added 2026/02/09 7:54 p.m.6 views

Server-Side Request Forgery (SSRF)

NocoDB is vulnerable to a Server-Side Request Forgery SSRF. The vulnerability is due to an unprotected HEAD request in the uploadViaURL functionality, which allows an attacker to trigger limited outbound requests to arbitrary URLs before SSRF validation is enforced...

6.4CVSS5.7AI score0.00198EPSS
Exploits1References5Affected Software1
EUVD
EUVD
added 2026/01/28 8:36 p.m.6 views

EUVD-2026-4868

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline...

9.4CVSS5.8AI score0.00385EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/01/28 12:0 a.m.7 views

NocoDB security vulnerabilities

NocoDB is an open-source alternative to Airtable. It converts any MySQL, PostgreSQL, SQL Server, SQLite, and MariaDB databases into intelligent spreadsheets. Versions of NocoDB prior to 0.301.0 contained a security vulnerability. This vulnerability stemmed from a prototype pollution issue in...

4.9CVSS5.9AI score0.00348EPSS
Exploits1References2
Rows per page
Query Builder