{"url":"http://public2.vulnerablecode.io/api/packages/1025881?format=json","purl":"pkg:npm/%40nocobase/database@0.12.0-alpha.2","type":"npm","namespace":"@nocobase","name":"database","version":"0.12.0-alpha.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.0.39","latest_non_vulnerable_version":"2.0.39","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81067?format=json","vulnerability_id":"VCID-vs3k-5ue5-9yh3","summary":"NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41640","reference_id":"","reference_type":"","scores":[{"value":"0.05498","scoring_system":"epss","scoring_elements":"0.9043","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41640"},{"reference_url":"https://github.com/nocobase/nocobase","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocobase/nocobase"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41640","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41640"},{"reference_url":"https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604","reference_id":"202e2b8efe44ba90adbf1087f6f70881ff947604","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/"}],"url":"https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604"},{"reference_url":"https://github.com/nocobase/nocobase/pull/9133","reference_id":"9133","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/"}],"url":"https://github.com/nocobase/nocobase/pull/9133"},{"reference_url":"https://github.com/advisories/GHSA-4948-f92q-f432","reference_id":"GHSA-4948-f92q-f432","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4948-f92q-f432"},{"reference_url":"https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432","reference_id":"GHSA-4948-f92q-f432","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/"}],"url":"https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432"},{"reference_url":"https://github.com/nocobase/nocobase/releases/tag/v2.0.39","reference_id":"v2.0.39","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T12:54:23Z/"}],"url":"https://github.com/nocobase/nocobase/releases/tag/v2.0.39"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373914?format=json","purl":"pkg:npm/%40nocobase/database@2.0.39","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/database@2.0.39"}],"aliases":["CVE-2026-41640","GHSA-4948-f92q-f432"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vs3k-5ue5-9yh3"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/database@0.12.0-alpha.2"}