CVE-2026-41640 NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

Nocobase SQL注入漏洞

Nocobase is an open-source low-code platform developed by NocoBase. Versions of NocoBase prior to 2.0.39 contained a SQL injection vulnerability. This vulnerability stemmed from the use of string concatenation rather than parameterized queries in the queryParentSQL function, which allowed for the...