Search for packages
| purl | pkg:npm/nocodb@0.92.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-213c-8mxs-b7ez
Aliases: CVE-2023-50718 GHSA-8fxg-mr34-jqr8 |
NocoDB SQL Injection vulnerability --- An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name. |
Affected by 15 other vulnerabilities. |
|
VCID-2xhn-e7hr-hfhp
Aliases: CVE-2026-28399 GHSA-45rp-9p97-h852 |
NocoDB Vulnerable to SQL Injection via DATEADD Formula An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. |
Affected by 8 other vulnerabilities. |
|
VCID-81t3-hwrd-qkhu
Aliases: CVE-2026-28397 GHSA-rcph-x7mj-54mm |
NocoDB Vulnerable to Stored Cross-site Scripting via Comments Comments rendered via `v-html` without sanitization, enabling stored XSS. |
Affected by 8 other vulnerabilities. |
|
VCID-9cty-6bcb-bugx
Aliases: CVE-2026-24767 GHSA-xr7v-j379-34v9 |
NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality A **blind Server-Side Request Forgery (SSRF)** vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. --- |
Affected by 10 other vulnerabilities. |
|
VCID-a9pu-8ysy-b3dv
Aliases: CVE-2026-28359 GHSA-qxwq-q265-hc44 |
NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. |
Affected by 8 other vulnerabilities. |
|
VCID-afbg-myss-6beg
Aliases: CVE-2026-28401 GHSA-wwp2-x4rj-j8rm |
NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells Rich text cell content rendered via `v-html` without sanitization, enabling stored XSS. |
Affected by 8 other vulnerabilities. |
|
VCID-dawx-ex9z-h3fe
Aliases: CVE-2026-28360 GHSA-mpp2-x7wv-38hv |
NocoDB has Plaintext Storage of Shared View Passwords Shared view passwords were stored in plaintext in the database and compared using direct string equality. |
Affected by 8 other vulnerabilities. |
|
VCID-ev6v-n8gt-jqh5
Aliases: CVE-2026-28358 GHSA-387m-j3p9-3php |
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. |
Affected by 8 other vulnerabilities. |
|
VCID-f7fu-2g9q-47c5
Aliases: CVE-2026-28361 GHSA-p9x3-w98f-7j3q |
NocoDB Missing Ownership Validation in MCP Token Operations The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. |
Affected by 8 other vulnerabilities. |
|
VCID-fyy3-tv84-6yfd
Aliases: CVE-2026-28398 GHSA-8vm4-g489-v3w7 |
NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS. |
Affected by 8 other vulnerabilities. |
|
VCID-mfrn-ku8c-abc9
Aliases: CVE-2025-27506 GHSA-wf6c-hrhf-86cw |
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. |
Affected by 14 other vulnerabilities. |
|
VCID-pfjz-u5gv-jkgf
Aliases: CVE-2026-24768 GHSA-3hmw-8mw3-rmpj |
NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter An **unvalidated redirect (open redirect)** vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login. |
Affected by 10 other vulnerabilities. |
|
VCID-rz3w-cjrv-37ec
Aliases: CVE-2026-24766 GHSA-95ff-46g6-6gw9 |
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS An authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. |
Affected by 10 other vulnerabilities. |
|
VCID-t9se-9xdx-kbex
Aliases: CVE-2026-24769 GHSA-q5c6-h22r-qpwr |
NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload A **stored Cross-site Scripting (XSS)** vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. --- |
Affected by 10 other vulnerabilities. |
|
VCID-v25a-vzzk-3ugn
Aliases: CVE-2023-5104 GHSA-xrpm-hccg-28x7 |
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0. |
Affected by 18 other vulnerabilities. |
|
VCID-vfge-zt2j-aka6
Aliases: CVE-2023-43794 GHSA-3m5q-q39v-xf8f |
nocodb SQL Injection vulnerability Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database. This vulnerability has been addressed in version 0.111.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-141`. |
Affected by 17 other vulnerabilities. |
|
VCID-vjc7-4hea-kfhy
Aliases: CVE-2023-49781 GHSA-h6r4-xvw6-jc5h |
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. |
Affected by 17 other vulnerabilities. |
|
VCID-xnuv-d4xj-bbhw
Aliases: CVE-2026-28396 GHSA-x4vh-j75g-268g |
NocoDB's Refresh Tokens Not Revoked on Password Reset The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. |
Affected by 8 other vulnerabilities. |
|
VCID-ydn4-emg6-53h9
Aliases: CVE-2026-28357 GHSA-vx5p-q85x-xm3c |
NocoDB has Stored Cross-site Scripting via Formula Cell A stored XSS vulnerability exists in the Formula virtual cell. Formula results containing `URI::()` patterns are rendered via `v-html` without sanitization, allowing injected HTML to execute. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7jvk-k9zw-87fj | NocoDB vulnerable to Denial of Service NocoDB prior to 0.92.0 allows actors to insert large characters into the input field `New Project` on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue. |
CVE-2022-3423
GHSA-grv6-m753-3w2g |