4 matches found
CVE-2026-46553
CVE-2026-46553 affects NocoDB prior to 2026.04.1, where the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote file’s Content-Length or the decoded length of a data: URI. This allowed an authenticated user with upload permissions to bypass the configured per-file size ...
CVE-2026-46553
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NCATTACHMENTFIELDSIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured...
NocoDB: Attachment Size Limit Bypass via Upload-by-URL
Summary The upload-by-URL path did not enforce NCATTACHMENTFIELDSIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. Details The attachments service now checks...
CVE-2025-60319
PerfreeBlog v4.0.11 is vulnerable to Server-Side Request Forgery due to a missing authorization check in the uploadAttachByUrl API endpoint AttachController.java...