| 0 |
| url |
VCID-3sdf-hy48-fyct |
| vulnerability_id |
VCID-3sdf-hy48-fyct |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28358, GHSA-387m-j3p9-3php
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3sdf-hy48-fyct |
|
| 1 |
| url |
VCID-4k6k-vje9-8qdg |
| vulnerability_id |
VCID-4k6k-vje9-8qdg |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28361, GHSA-p9x3-w98f-7j3q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4k6k-vje9-8qdg |
|
| 2 |
| url |
VCID-5bed-tjbz-xqc2 |
| vulnerability_id |
VCID-5bed-tjbz-xqc2 |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28399, GHSA-45rp-9p97-h852
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5bed-tjbz-xqc2 |
|
| 3 |
| url |
VCID-5fgs-yhb9-u7dn |
| vulnerability_id |
VCID-5fgs-yhb9-u7dn |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-24766, GHSA-95ff-46g6-6gw9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5fgs-yhb9-u7dn |
|
| 4 |
| url |
VCID-69jy-4fjb-s3at |
| vulnerability_id |
VCID-69jy-4fjb-s3at |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28398, GHSA-8vm4-g489-v3w7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-69jy-4fjb-s3at |
|
| 5 |
|
| 6 |
| url |
VCID-as9j-1cwe-aufb |
| vulnerability_id |
VCID-as9j-1cwe-aufb |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28357, GHSA-vx5p-q85x-xm3c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-as9j-1cwe-aufb |
|
| 7 |
| url |
VCID-b9mm-grag-bqaa |
| vulnerability_id |
VCID-b9mm-grag-bqaa |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-24769, GHSA-q5c6-h22r-qpwr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b9mm-grag-bqaa |
|
| 8 |
| url |
VCID-d25x-pp6u-nken |
| vulnerability_id |
VCID-d25x-pp6u-nken |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login. This vulnerability enables phishing attacks by leveraging user trust in the legitimate NocoDB login flow. While it does not directly expose credentials or bypass authentication, it increases the likelihood of credential theft through social engineering. The issue does not allow arbitrary code execution or privilege escalation, but it undermines authentication integrity. Version 0.301.0 fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-24768, GHSA-3hmw-8mw3-rmpj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d25x-pp6u-nken |
|
| 9 |
| url |
VCID-d4h6-d2sf-bqdy |
| vulnerability_id |
VCID-d4h6-d2sf-bqdy |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28401, GHSA-wwp2-x4rj-j8rm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d4h6-d2sf-bqdy |
|
| 10 |
| url |
VCID-db3m-evp6-b3c9 |
| vulnerability_id |
VCID-db3m-evp6-b3c9 |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28359, GHSA-qxwq-q265-hc44
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-db3m-evp6-b3c9 |
|
| 11 |
| url |
VCID-f4k6-mp3v-a7gc |
| vulnerability_id |
VCID-f4k6-mp3v-a7gc |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28360, GHSA-mpp2-x7wv-38hv
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f4k6-mp3v-a7gc |
|
| 12 |
| url |
VCID-f76y-v3jh-jqba |
| vulnerability_id |
VCID-f76y-v3jh-jqba |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28397, GHSA-rcph-x7mj-54mm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f76y-v3jh-jqba |
|
| 13 |
| url |
VCID-g4ae-z1zh-tfbm |
| vulnerability_id |
VCID-g4ae-z1zh-tfbm |
| summary |
Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database. This vulnerability has been addressed in version 0.111.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-141`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/nocodb@0.111.0 |
| purl |
pkg:npm/nocodb@0.111.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3sdf-hy48-fyct |
|
| 1 |
| vulnerability |
VCID-4k6k-vje9-8qdg |
|
| 2 |
| vulnerability |
VCID-5bed-tjbz-xqc2 |
|
| 3 |
| vulnerability |
VCID-5fgs-yhb9-u7dn |
|
| 4 |
| vulnerability |
VCID-69jy-4fjb-s3at |
|
| 5 |
| vulnerability |
VCID-8evk-svu4-akh8 |
|
| 6 |
| vulnerability |
VCID-as9j-1cwe-aufb |
|
| 7 |
| vulnerability |
VCID-b9mm-grag-bqaa |
|
| 8 |
| vulnerability |
VCID-d25x-pp6u-nken |
|
| 9 |
| vulnerability |
VCID-d4h6-d2sf-bqdy |
|
| 10 |
| vulnerability |
VCID-db3m-evp6-b3c9 |
|
| 11 |
| vulnerability |
VCID-f4k6-mp3v-a7gc |
|
| 12 |
| vulnerability |
VCID-f76y-v3jh-jqba |
|
| 13 |
| vulnerability |
VCID-hdkw-p45p-1bh5 |
|
| 14 |
| vulnerability |
VCID-pczw-jqqk-cuc9 |
|
| 15 |
| vulnerability |
VCID-qbme-rfah-9uad |
|
| 16 |
| vulnerability |
VCID-wqsc-972t-juhv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.111.0 |
|
|
| aliases |
CVE-2023-43794, GHSA-3m5q-q39v-xf8f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g4ae-z1zh-tfbm |
|
| 14 |
| url |
VCID-hdkw-p45p-1bh5 |
| vulnerability_id |
VCID-hdkw-p45p-1bh5 |
| summary |
NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“, which is rendered by the function renderPasswordReset. This vulnerability is fixed in 0.258.0. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/nocodb@0.258.0 |
| purl |
pkg:npm/nocodb@0.258.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3sdf-hy48-fyct |
|
| 1 |
| vulnerability |
VCID-4k6k-vje9-8qdg |
|
| 2 |
| vulnerability |
VCID-5bed-tjbz-xqc2 |
|
| 3 |
| vulnerability |
VCID-5fgs-yhb9-u7dn |
|
| 4 |
| vulnerability |
VCID-69jy-4fjb-s3at |
|
| 5 |
| vulnerability |
VCID-8evk-svu4-akh8 |
|
| 6 |
| vulnerability |
VCID-as9j-1cwe-aufb |
|
| 7 |
| vulnerability |
VCID-b9mm-grag-bqaa |
|
| 8 |
| vulnerability |
VCID-d25x-pp6u-nken |
|
| 9 |
| vulnerability |
VCID-d4h6-d2sf-bqdy |
|
| 10 |
| vulnerability |
VCID-db3m-evp6-b3c9 |
|
| 11 |
| vulnerability |
VCID-f4k6-mp3v-a7gc |
|
| 12 |
| vulnerability |
VCID-f76y-v3jh-jqba |
|
| 13 |
| vulnerability |
VCID-qbme-rfah-9uad |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.258.0 |
|
|
| aliases |
CVE-2025-27506, GHSA-wf6c-hrhf-86cw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hdkw-p45p-1bh5 |
|
| 15 |
| url |
VCID-pczw-jqqk-cuc9 |
| vulnerability_id |
VCID-pczw-jqqk-cuc9 |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/nocodb@0.202.9 |
| purl |
pkg:npm/nocodb@0.202.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3sdf-hy48-fyct |
|
| 1 |
| vulnerability |
VCID-4k6k-vje9-8qdg |
|
| 2 |
| vulnerability |
VCID-5bed-tjbz-xqc2 |
|
| 3 |
| vulnerability |
VCID-5fgs-yhb9-u7dn |
|
| 4 |
| vulnerability |
VCID-69jy-4fjb-s3at |
|
| 5 |
| vulnerability |
VCID-8evk-svu4-akh8 |
|
| 6 |
| vulnerability |
VCID-as9j-1cwe-aufb |
|
| 7 |
| vulnerability |
VCID-b9mm-grag-bqaa |
|
| 8 |
| vulnerability |
VCID-d25x-pp6u-nken |
|
| 9 |
| vulnerability |
VCID-d4h6-d2sf-bqdy |
|
| 10 |
| vulnerability |
VCID-db3m-evp6-b3c9 |
|
| 11 |
| vulnerability |
VCID-f4k6-mp3v-a7gc |
|
| 12 |
| vulnerability |
VCID-f76y-v3jh-jqba |
|
| 13 |
| vulnerability |
VCID-hdkw-p45p-1bh5 |
|
| 14 |
| vulnerability |
VCID-jt4a-urtp-gyca |
|
| 15 |
| vulnerability |
VCID-qbme-rfah-9uad |
|
| 16 |
| vulnerability |
VCID-wqsc-972t-juhv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.202.9 |
|
|
| aliases |
CVE-2023-49781, GHSA-h6r4-xvw6-jc5h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pczw-jqqk-cuc9 |
|
| 16 |
| url |
VCID-qbme-rfah-9uad |
| vulnerability_id |
VCID-qbme-rfah-9uad |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-28396, GHSA-x4vh-j75g-268g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qbme-rfah-9uad |
|
| 17 |
| url |
VCID-wqsc-972t-juhv |
| vulnerability_id |
VCID-wqsc-972t-juhv |
| summary |
NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the database. Version 0.202.10 contains a patch for the issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/nocodb@0.202.10 |
| purl |
pkg:npm/nocodb@0.202.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3sdf-hy48-fyct |
|
| 1 |
| vulnerability |
VCID-4k6k-vje9-8qdg |
|
| 2 |
| vulnerability |
VCID-5bed-tjbz-xqc2 |
|
| 3 |
| vulnerability |
VCID-5fgs-yhb9-u7dn |
|
| 4 |
| vulnerability |
VCID-69jy-4fjb-s3at |
|
| 5 |
| vulnerability |
VCID-8evk-svu4-akh8 |
|
| 6 |
| vulnerability |
VCID-as9j-1cwe-aufb |
|
| 7 |
| vulnerability |
VCID-b9mm-grag-bqaa |
|
| 8 |
| vulnerability |
VCID-d25x-pp6u-nken |
|
| 9 |
| vulnerability |
VCID-d4h6-d2sf-bqdy |
|
| 10 |
| vulnerability |
VCID-db3m-evp6-b3c9 |
|
| 11 |
| vulnerability |
VCID-f4k6-mp3v-a7gc |
|
| 12 |
| vulnerability |
VCID-f76y-v3jh-jqba |
|
| 13 |
| vulnerability |
VCID-hdkw-p45p-1bh5 |
|
| 14 |
| vulnerability |
VCID-qbme-rfah-9uad |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.202.10 |
|
|
| aliases |
CVE-2023-50718, GHSA-8fxg-mr34-jqr8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wqsc-972t-juhv |
|