CVE-2026-41640 NocoBase Vulnerable to SQL Injection via String Concatenation in Recursive Eager Loading

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

GHSA-4948-F92Q-F432 @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...