Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/%40nocobase/plugin-collection-sql@1.3.9-beta

Type npm

Namespace @nocobase

Name plugin-collection-sql

Version 1.3.9-beta

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.0.39

Latest_non_vulnerable_version 2.0.39

Affected_by_vulnerabilities

url VCID-rpgg-v2fa-eyaw

vulnerability_id VCID-rpgg-v2fa-eyaw

summary NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-41641

reference_id

reference_type

scores

value	0.00211
scoring_system	epss
scoring_elements	0.43917
published_at	2026-06-13T12:55:00Z

value	0.00211
scoring_system	epss
scoring_elements	0.43742
published_at	2026-06-11T12:55:00Z

value	0.00211
scoring_system	epss
scoring_elements	0.43896
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-41641

reference_url

https://github.com/nocobase/nocobase

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/nocobase/nocobase

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-41641

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-41641

reference_url

https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91

reference_id

851aee543efa894142e0f7be03eb55d9cec06a91

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T14:13:49Z/

url

https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91

reference_url

https://github.com/nocobase/nocobase/pull/9134

reference_id

9134

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T14:13:49Z/

url

https://github.com/nocobase/nocobase/pull/9134

reference_url

https://github.com/advisories/GHSA-wrwh-c28m-9jjh

reference_id

GHSA-wrwh-c28m-9jjh

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wrwh-c28m-9jjh

reference_url

https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh

reference_id

GHSA-wrwh-c28m-9jjh

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T14:13:49Z/

url

https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh

reference_url

https://github.com/nocobase/nocobase/releases/tag/v2.0.39

reference_id

v2.0.39

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T14:13:49Z/

url

https://github.com/nocobase/nocobase/releases/tag/v2.0.39

fixed_packages

url	pkg:npm/%40nocobase/plugin-collection-sql@2.0.39
purl	pkg:npm/%40nocobase/plugin-collection-sql@2.0.39
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/plugin-collection-sql@2.0.39

aliases CVE-2026-41641, GHSA-wrwh-c28m-9jjh

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rpgg-v2fa-eyaw

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540nocobase/plugin-collection-sql@1.3.9-beta

Package Instance