Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/nocodb@0.258.0
Typenpm
Namespace
Namenocodb
Version0.258.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-2xhn-e7hr-hfhp
vulnerability_id VCID-2xhn-e7hr-hfhp
summary 
NocoDB Vulnerable to SQL Injection via DATEADD Formula
An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28399
reference_id
reference_type
scores
0
value 0.00073
scoring_system epss
scoring_elements 0.22383
published_at 2026-06-06T12:55:00Z
1
value 0.00073
scoring_system epss
scoring_elements 0.22396
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28399
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-03T15:53:44Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28399
reference_id CVE-2026-28399
reference_type
scores
0
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28399
4
reference_url https://github.com/advisories/GHSA-45rp-9p97-h852
reference_id GHSA-45rp-9p97-h852
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-45rp-9p97-h852
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852
reference_id GHSA-45rp-9p97-h852
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-03T15:53:44Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28399, GHSA-45rp-9p97-h852
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xhn-e7hr-hfhp
1
url VCID-81t3-hwrd-qkhu
vulnerability_id VCID-81t3-hwrd-qkhu
summary 
NocoDB Vulnerable to Stored Cross-site Scripting via Comments
Comments rendered via `v-html` without sanitization, enabling stored XSS.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28397
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02517
published_at 2026-06-06T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02515
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28397
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:50Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28397
reference_id CVE-2026-28397
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28397
4
reference_url https://github.com/advisories/GHSA-rcph-x7mj-54mm
reference_id GHSA-rcph-x7mj-54mm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rcph-x7mj-54mm
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-rcph-x7mj-54mm
reference_id GHSA-rcph-x7mj-54mm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:50Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-rcph-x7mj-54mm
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28397, GHSA-rcph-x7mj-54mm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-81t3-hwrd-qkhu
2
url VCID-9cty-6bcb-bugx
vulnerability_id VCID-9cty-6bcb-bugx
summary 
NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality
A **blind Server-Side Request Forgery (SSRF)** vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation.

This allows limited outbound requests to arbitrary URLs before SSRF controls are applied.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24767
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03466
published_at 2026-06-05T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03479
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24767
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24767
reference_id CVE-2026-24767
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24767
4
reference_url https://github.com/advisories/GHSA-xr7v-j379-34v9
reference_id GHSA-xr7v-j379-34v9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xr7v-j379-34v9
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
reference_id GHSA-xr7v-j379-34v9
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:20Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
fixed_packages
0
url pkg:npm/nocodb@0.301.0
purl pkg:npm/nocodb@0.301.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xhn-e7hr-hfhp
1
vulnerability VCID-81t3-hwrd-qkhu
2
vulnerability VCID-a9pu-8ysy-b3dv
3
vulnerability VCID-afbg-myss-6beg
4
vulnerability VCID-dawx-ex9z-h3fe
5
vulnerability VCID-ev6v-n8gt-jqh5
6
vulnerability VCID-f7fu-2g9q-47c5
7
vulnerability VCID-fyy3-tv84-6yfd
8
vulnerability VCID-xnuv-d4xj-bbhw
9
vulnerability VCID-ydn4-emg6-53h9
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0
aliases CVE-2026-24767, GHSA-xr7v-j379-34v9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9cty-6bcb-bugx
3
url VCID-a9pu-8ysy-b3dv
vulnerability_id VCID-a9pu-8ysy-b3dv
summary 
NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field
An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28359
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12696
published_at 2026-06-06T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12693
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28359
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:06:57Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28359
reference_id CVE-2026-28359
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28359
4
reference_url https://github.com/advisories/GHSA-qxwq-q265-hc44
reference_id GHSA-qxwq-q265-hc44
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qxwq-q265-hc44
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc44
reference_id GHSA-qxwq-q265-hc44
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:06:57Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc44
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28359, GHSA-qxwq-q265-hc44
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a9pu-8ysy-b3dv
4
url VCID-afbg-myss-6beg
vulnerability_id VCID-afbg-myss-6beg
summary 
NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells
Rich text cell content rendered via `v-html` without sanitization, enabling stored XSS.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28401
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02517
published_at 2026-06-06T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02515
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28401
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:51:53Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28401
reference_id CVE-2026-28401
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28401
4
reference_url https://github.com/advisories/GHSA-wwp2-x4rj-j8rm
reference_id GHSA-wwp2-x4rj-j8rm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wwp2-x4rj-j8rm
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm
reference_id GHSA-wwp2-x4rj-j8rm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:51:53Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28401, GHSA-wwp2-x4rj-j8rm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-afbg-myss-6beg
5
url VCID-dawx-ex9z-h3fe
vulnerability_id VCID-dawx-ex9z-h3fe
summary 
NocoDB has Plaintext Storage of Shared View Passwords
Shared view passwords were stored in plaintext in the database and compared using direct string equality.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28360
reference_id
reference_type
scores
0
value 0.00044
scoring_system epss
scoring_elements 0.14078
published_at 2026-06-06T12:55:00Z
1
value 0.00044
scoring_system epss
scoring_elements 0.14077
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28360
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:01:13Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28360
reference_id CVE-2026-28360
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28360
4
reference_url https://github.com/advisories/GHSA-mpp2-x7wv-38hv
reference_id GHSA-mpp2-x7wv-38hv
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mpp2-x7wv-38hv
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv
reference_id GHSA-mpp2-x7wv-38hv
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:01:13Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-mpp2-x7wv-38hv
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28360, GHSA-mpp2-x7wv-38hv
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dawx-ex9z-h3fe
6
url VCID-ev6v-n8gt-jqh5
vulnerability_id VCID-ev6v-n8gt-jqh5
summary 
NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28358
reference_id
reference_type
scores
0
value 0.00599
scoring_system epss
scoring_elements 0.6986
published_at 2026-06-06T12:55:00Z
1
value 0.00599
scoring_system epss
scoring_elements 0.69851
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28358
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:02:18Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28358
reference_id CVE-2026-28358
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28358
4
reference_url https://github.com/advisories/GHSA-387m-j3p9-3php
reference_id GHSA-387m-j3p9-3php
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-387m-j3p9-3php
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php
reference_id GHSA-387m-j3p9-3php
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-03T16:02:18Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28358, GHSA-387m-j3p9-3php
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ev6v-n8gt-jqh5
7
url VCID-f7fu-2g9q-47c5
vulnerability_id VCID-f7fu-2g9q-47c5
summary 
NocoDB Missing Ownership Validation in MCP Token Operations
The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28361
reference_id
reference_type
scores
0
value 0.00053
scoring_system epss
scoring_elements 0.17091
published_at 2026-06-06T12:55:00Z
1
value 0.00053
scoring_system epss
scoring_elements 0.17096
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28361
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:48Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28361
reference_id CVE-2026-28361
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28361
4
reference_url https://github.com/advisories/GHSA-p9x3-w98f-7j3q
reference_id GHSA-p9x3-w98f-7j3q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p9x3-w98f-7j3q
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q
reference_id GHSA-p9x3-w98f-7j3q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:48Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-p9x3-w98f-7j3q
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28361, GHSA-p9x3-w98f-7j3q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f7fu-2g9q-47c5
8
url VCID-fyy3-tv84-6yfd
vulnerability_id VCID-fyy3-tv84-6yfd
summary 
NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells
User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28398
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12696
published_at 2026-06-06T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12693
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28398
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:22Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28398
reference_id CVE-2026-28398
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28398
4
reference_url https://github.com/advisories/GHSA-8vm4-g489-v3w7
reference_id GHSA-8vm4-g489-v3w7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8vm4-g489-v3w7
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7
reference_id GHSA-8vm4-g489-v3w7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:55:22Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28398, GHSA-8vm4-g489-v3w7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fyy3-tv84-6yfd
9
url VCID-pfjz-u5gv-jkgf
vulnerability_id VCID-pfjz-u5gv-jkgf
summary 
NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter
An **unvalidated redirect (open redirect)** vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter.

During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24768
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05521
published_at 2026-06-06T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.05538
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24768
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24768
reference_id CVE-2026-24768
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24768
3
reference_url https://github.com/advisories/GHSA-3hmw-8mw3-rmpj
reference_id GHSA-3hmw-8mw3-rmpj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3hmw-8mw3-rmpj
4
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj
reference_id GHSA-3hmw-8mw3-rmpj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:11Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj
fixed_packages
0
url pkg:npm/nocodb@0.301.0
purl pkg:npm/nocodb@0.301.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xhn-e7hr-hfhp
1
vulnerability VCID-81t3-hwrd-qkhu
2
vulnerability VCID-a9pu-8ysy-b3dv
3
vulnerability VCID-afbg-myss-6beg
4
vulnerability VCID-dawx-ex9z-h3fe
5
vulnerability VCID-ev6v-n8gt-jqh5
6
vulnerability VCID-f7fu-2g9q-47c5
7
vulnerability VCID-fyy3-tv84-6yfd
8
vulnerability VCID-xnuv-d4xj-bbhw
9
vulnerability VCID-ydn4-emg6-53h9
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0
aliases CVE-2026-24768, GHSA-3hmw-8mw3-rmpj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pfjz-u5gv-jkgf
10
url VCID-rz3w-cjrv-37ec
vulnerability_id VCID-rz3w-cjrv-37ec
summary 
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
An authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart.

While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24766
reference_id
reference_type
scores
0
value 0.00223
scoring_system epss
scoring_elements 0.45043
published_at 2026-06-06T12:55:00Z
1
value 0.00223
scoring_system epss
scoring_elements 0.45038
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24766
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.0
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb/releases/tag/0.301.0
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24766
reference_id CVE-2026-24766
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24766
4
reference_url https://github.com/advisories/GHSA-95ff-46g6-6gw9
reference_id GHSA-95ff-46g6-6gw9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-95ff-46g6-6gw9
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9
reference_id GHSA-95ff-46g6-6gw9
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:33Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9
fixed_packages
0
url pkg:npm/nocodb@0.301.0
purl pkg:npm/nocodb@0.301.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xhn-e7hr-hfhp
1
vulnerability VCID-81t3-hwrd-qkhu
2
vulnerability VCID-a9pu-8ysy-b3dv
3
vulnerability VCID-afbg-myss-6beg
4
vulnerability VCID-dawx-ex9z-h3fe
5
vulnerability VCID-ev6v-n8gt-jqh5
6
vulnerability VCID-f7fu-2g9q-47c5
7
vulnerability VCID-fyy3-tv84-6yfd
8
vulnerability VCID-xnuv-d4xj-bbhw
9
vulnerability VCID-ydn4-emg6-53h9
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0
aliases CVE-2026-24766, GHSA-95ff-46g6-6gw9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rz3w-cjrv-37ec
11
url VCID-t9se-9xdx-kbex
vulnerability_id VCID-t9se-9xdx-kbex
summary 
NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload
A **stored Cross-site Scripting (XSS)** vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment.

Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users.

---
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24769
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.0739
published_at 2026-06-06T12:55:00Z
1
value 0.00025
scoring_system epss
scoring_elements 0.07384
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24769
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24769
reference_id CVE-2026-24769
reference_type
scores
0
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24769
3
reference_url https://github.com/advisories/GHSA-q5c6-h22r-qpwr
reference_id GHSA-q5c6-h22r-qpwr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q5c6-h22r-qpwr
4
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr
reference_id GHSA-q5c6-h22r-qpwr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-29T14:00:29Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr
fixed_packages
0
url pkg:npm/nocodb@0.301.0
purl pkg:npm/nocodb@0.301.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xhn-e7hr-hfhp
1
vulnerability VCID-81t3-hwrd-qkhu
2
vulnerability VCID-a9pu-8ysy-b3dv
3
vulnerability VCID-afbg-myss-6beg
4
vulnerability VCID-dawx-ex9z-h3fe
5
vulnerability VCID-ev6v-n8gt-jqh5
6
vulnerability VCID-f7fu-2g9q-47c5
7
vulnerability VCID-fyy3-tv84-6yfd
8
vulnerability VCID-xnuv-d4xj-bbhw
9
vulnerability VCID-ydn4-emg6-53h9
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.0
aliases CVE-2026-24769, GHSA-q5c6-h22r-qpwr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t9se-9xdx-kbex
12
url VCID-xnuv-d4xj-bbhw
vulnerability_id VCID-xnuv-d4xj-bbhw
summary 
NocoDB's Refresh Tokens Not Revoked on Password Reset
The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28396
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.13007
published_at 2026-06-06T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.13004
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28396
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:16Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28396
reference_id CVE-2026-28396
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28396
4
reference_url https://github.com/advisories/GHSA-x4vh-j75g-268g
reference_id GHSA-x4vh-j75g-268g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x4vh-j75g-268g
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g
reference_id GHSA-x4vh-j75g-268g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T15:57:16Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-x4vh-j75g-268g
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28396, GHSA-x4vh-j75g-268g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xnuv-d4xj-bbhw
13
url VCID-ydn4-emg6-53h9
vulnerability_id VCID-ydn4-emg6-53h9
summary 
NocoDB has Stored Cross-site Scripting via Formula Cell
A stored XSS vulnerability exists in the Formula virtual cell. Formula results containing `URI::()` patterns are rendered via `v-html` without sanitization, allowing injected HTML to execute.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28357
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12696
published_at 2026-06-06T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12693
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28357
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/releases/tag/0.301.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T16:50:04Z/
url https://github.com/nocodb/nocodb/releases/tag/0.301.3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28357
reference_id CVE-2026-28357
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28357
4
reference_url https://github.com/advisories/GHSA-vx5p-q85x-xm3c
reference_id GHSA-vx5p-q85x-xm3c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vx5p-q85x-xm3c
5
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-vx5p-q85x-xm3c
reference_id GHSA-vx5p-q85x-xm3c
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-02T16:50:04Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-vx5p-q85x-xm3c
fixed_packages
0
url pkg:npm/nocodb@0.301.3
purl pkg:npm/nocodb@0.301.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3ps4-aqy4-7keu
1
vulnerability VCID-8zjc-st6a-xfb1
2
vulnerability VCID-9a2b-ewu9-b3aj
3
vulnerability VCID-ejqa-m3gn-mfgn
4
vulnerability VCID-vbut-4bna-pfe5
5
vulnerability VCID-vj97-k2hc-jkcp
6
vulnerability VCID-wn4a-x9z3-qkbu
7
vulnerability VCID-y2f8-1n7p-r3du
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.301.3
aliases CVE-2026-28357, GHSA-vx5p-q85x-xm3c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ydn4-emg6-53h9
Fixing_vulnerabilities
0
url VCID-mfrn-ku8c-abc9
vulnerability_id VCID-mfrn-ku8c-abc9
summary 
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27506
reference_id
reference_type
scores
0
value 0.03816
scoring_system epss
scoring_elements 0.88337
published_at 2026-06-05T12:55:00Z
1
value 0.03816
scoring_system epss
scoring_elements 0.8834
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27506
1
reference_url https://github.com/nocodb/nocodb
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nocodb/nocodb
2
reference_url https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/
url https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251
3
reference_url https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/
url https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71
4
reference_url https://github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/
url https://github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27506
reference_id CVE-2025-27506
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27506
6
reference_url https://github.com/advisories/GHSA-wf6c-hrhf-86cw
reference_id GHSA-wf6c-hrhf-86cw
reference_type
scores
url https://github.com/advisories/GHSA-wf6c-hrhf-86cw
7
reference_url https://github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw
reference_id GHSA-wf6c-hrhf-86cw
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T19:12:15Z/
url https://github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw
fixed_packages
0
url pkg:npm/nocodb@0.258.0
purl pkg:npm/nocodb@0.258.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xhn-e7hr-hfhp
1
vulnerability VCID-81t3-hwrd-qkhu
2
vulnerability VCID-9cty-6bcb-bugx
3
vulnerability VCID-a9pu-8ysy-b3dv
4
vulnerability VCID-afbg-myss-6beg
5
vulnerability VCID-dawx-ex9z-h3fe
6
vulnerability VCID-ev6v-n8gt-jqh5
7
vulnerability VCID-f7fu-2g9q-47c5
8
vulnerability VCID-fyy3-tv84-6yfd
9
vulnerability VCID-pfjz-u5gv-jkgf
10
vulnerability VCID-rz3w-cjrv-37ec
11
vulnerability VCID-t9se-9xdx-kbex
12
vulnerability VCID-xnuv-d4xj-bbhw
13
vulnerability VCID-ydn4-emg6-53h9
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.258.0
aliases CVE-2025-27506, GHSA-wf6c-hrhf-86cw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mfrn-ku8c-abc9
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/nocodb@0.258.0