Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-q4wm-7szt-hfcb
Vulnerability ID VCID-q4wm-7szt-hfcb
Aliases CVE-2026-40346
GHSA-mvvv-v22x-xqwp
Summary
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-918 Server-Side Request Forgery (SSRF)
System Score Found at
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-40346
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-mvvv-v22x-xqwp
cvssv3.1 6.5 https://github.com/nocobase/nocobase
cvssv4 6.4 https://github.com/nocobase/nocobase
generic_textual MODERATE https://github.com/nocobase/nocobase
cvssv3.1 6.5 https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
cvssv4 6.4 https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
generic_textual MODERATE https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
ssvc Track https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
cvssv3.1 6.5 https://github.com/nocobase/nocobase/pull/9079
cvssv4 6.4 https://github.com/nocobase/nocobase/pull/9079
generic_textual MODERATE https://github.com/nocobase/nocobase/pull/9079
ssvc Track https://github.com/nocobase/nocobase/pull/9079
cvssv3.1 6.5 https://github.com/nocobase/nocobase/releases/tag/v2.0.37
cvssv4 6.4 https://github.com/nocobase/nocobase/releases/tag/v2.0.37
generic_textual MODERATE https://github.com/nocobase/nocobase/releases/tag/v2.0.37
ssvc Track https://github.com/nocobase/nocobase/releases/tag/v2.0.37
cvssv3.1 6.5 https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
cvssv3.1_qr MODERATE https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
cvssv4 6.4 https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
generic_textual MODERATE https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
ssvc Track https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2026-40346
cvssv4 6.4 https://nvd.nist.gov/vuln/detail/CVE-2026-40346
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-40346
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-40346
https://github.com/nocobase/nocobase
https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
https://github.com/nocobase/nocobase/pull/9079
https://github.com/nocobase/nocobase/releases/tag/v2.0.37
https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
https://nvd.nist.gov/vuln/detail/CVE-2026-40346
GHSA-mvvv-v22x-xqwp https://github.com/advisories/GHSA-mvvv-v22x-xqwp
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/nocobase/nocobase
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/nocobase/nocobase
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/ Found at https://github.com/nocobase/nocobase/commit/2853368243ed07339c62c548b7d475f4eeaada59
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/nocobase/nocobase/pull/9079
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/nocobase/nocobase/pull/9079
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/ Found at https://github.com/nocobase/nocobase/pull/9079
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/nocobase/nocobase/releases/tag/v2.0.37
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/nocobase/nocobase/releases/tag/v2.0.37
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/ Found at https://github.com/nocobase/nocobase/releases/tag/v2.0.37
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:42:37Z/ Found at https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-40346
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-40346
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03207
EPSS Score 0.00015
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T23:09:26.934555+00:00 EPSS Importer Import https://epss.cyentia.com/epss_scores-current.csv.gz 38.6.0