@nocobase/actions (>=2.0.0 <=2.0.38), @nocobase/auth (>=2.0.0 <=2.0.38) +4 more potentially affected by CVE-2026-41640 via @nocobase/database (>=2.0.0-alpha.10 <=2.0.38)

@nocobase/database NPM version =2.0.0-alpha.10, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.38 Source cves: CVE-2026-41640 Source advisory: SNYK:JS-NOCOBASEDATABASE-16421470...

GHSA-4948-F92Q-F432 @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

@nocobase/actions (>=0.4.0-alpha.1 <=2.0.38), @nocobase/api (>=0.4.0-alpha.1 <=0.4.0-alpha.7) +37 more potentially affected by CVE-2026-41640 via @nocobase/database (>=0.10.0-alpha.2 <=2.0.38)

@nocobase/database NPM version =0.10.0-alpha.2, =0.4.0-alpha.1, =0.4.0-alpha.1, =0.14.0-alpha.4, =0.7.0-alpha.1, =0.10.0-alpha.2, =0.14.0-alpha.4, =0.20.0-alpha.1, =0.18.0-alpha.1, =0.7.0-alpha.1, =0.4.0-alpha.1, =0.7.1-alpha.4, =0.10.1-alpha.1, =0.4.0-alpha.1, =0.4.0-alpha.1, =0.10.1-alpha.1 and...

SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...