Search for packages
| purl | pkg:npm/nocodb@0.301.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2xhn-e7hr-hfhp
Aliases: CVE-2026-28399 GHSA-45rp-9p97-h852 |
NocoDB Vulnerable to SQL Injection via DATEADD Formula An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. |
Affected by 8 other vulnerabilities. |
|
VCID-81t3-hwrd-qkhu
Aliases: CVE-2026-28397 GHSA-rcph-x7mj-54mm |
NocoDB Vulnerable to Stored Cross-site Scripting via Comments Comments rendered via `v-html` without sanitization, enabling stored XSS. |
Affected by 8 other vulnerabilities. |
|
VCID-a9pu-8ysy-b3dv
Aliases: CVE-2026-28359 GHSA-qxwq-q265-hc44 |
NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. |
Affected by 8 other vulnerabilities. |
|
VCID-afbg-myss-6beg
Aliases: CVE-2026-28401 GHSA-wwp2-x4rj-j8rm |
NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells Rich text cell content rendered via `v-html` without sanitization, enabling stored XSS. |
Affected by 8 other vulnerabilities. |
|
VCID-dawx-ex9z-h3fe
Aliases: CVE-2026-28360 GHSA-mpp2-x7wv-38hv |
NocoDB has Plaintext Storage of Shared View Passwords Shared view passwords were stored in plaintext in the database and compared using direct string equality. |
Affected by 8 other vulnerabilities. |
|
VCID-ev6v-n8gt-jqh5
Aliases: CVE-2026-28358 GHSA-387m-j3p9-3php |
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. |
Affected by 8 other vulnerabilities. |
|
VCID-f7fu-2g9q-47c5
Aliases: CVE-2026-28361 GHSA-p9x3-w98f-7j3q |
NocoDB Missing Ownership Validation in MCP Token Operations The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. |
Affected by 8 other vulnerabilities. |
|
VCID-fyy3-tv84-6yfd
Aliases: CVE-2026-28398 GHSA-8vm4-g489-v3w7 |
NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS. |
Affected by 8 other vulnerabilities. |
|
VCID-xnuv-d4xj-bbhw
Aliases: CVE-2026-28396 GHSA-x4vh-j75g-268g |
NocoDB's Refresh Tokens Not Revoked on Password Reset The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. |
Affected by 8 other vulnerabilities. |
|
VCID-ydn4-emg6-53h9
Aliases: CVE-2026-28357 GHSA-vx5p-q85x-xm3c |
NocoDB has Stored Cross-site Scripting via Formula Cell A stored XSS vulnerability exists in the Formula virtual cell. Formula results containing `URI::()` patterns are rendered via `v-html` without sanitization, allowing injected HTML to execute. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||