VulnerableCode Package Details - pkg:npm/%40nocobase/plugin-workflow-request@2.0.13

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/%40nocobase/plugin-workflow-request@2.0.13

purl	pkg:npm/%40nocobase/plugin-workflow-request@2.0.13

Next non-vulnerable version	2.0.37
Latest non-vulnerable version	2.0.37
Risk	3.1

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-bh9g-5ggj-xugj Aliases: CVE-2026-40346 GHSA-mvvv-v22x-xqwp	NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost. Version 2.0.37 contains a patch.	2.0.37 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:05:37.326584+00:00	GitLab Importer	Affected by	VCID-bh9g-5ggj-xugj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@nocobase/plugin-workflow-request/CVE-2026-40346.yml	38.6.0