Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/%40nocobase/plugin-workflow-javascript@2.0.28
purl pkg:npm/%40nocobase/plugin-workflow-javascript@2.0.28
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-bpqh-1b2j-b3ct NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28. CVE-2026-34156
GHSA-px3p-vgh9-m57c

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-13T06:28:28.699070+00:00 GHSA Importer Fixing VCID-bpqh-1b2j-b3ct https://github.com/advisories/GHSA-px3p-vgh9-m57c 38.6.0
2026-06-12T21:43:27.736715+00:00 GitLab Importer Fixing VCID-bpqh-1b2j-b3ct https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@nocobase/plugin-workflow-javascript/CVE-2026-34156.yml 38.6.0
2026-06-12T07:48:41.301548+00:00 GithubOSV Importer Fixing VCID-bpqh-1b2j-b3ct https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-px3p-vgh9-m57c/GHSA-px3p-vgh9-m57c.json 38.6.0