๐จ CVE-2026-46549
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
OAuth Token Scope Not Enforced in ACL Layer
### Summary
The OAuth token strategy attached `oauth_scope` and `oauth_granted_resources` to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricte...
The OAuth token strategy attached `oauth_scope` and `oauth_granted_resources` to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricte...
๐จ CVE-2026-46550
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Refresh Token Cookie Set Without `Secure` and `SameSite` Flags
### Summary
The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; ...
The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; ...
๐จ CVE-2026-46551
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC_ATTACHMENT_FIELD_SIZE; the subsequent storageAdapter.fileCreateByUrl() performed the download without maxContentLength. This vulnerability is fixed in 2026.04.4.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC_ATTACHMENT_FIELD_SIZE; the subsequent storageAdapter.fileCreateByUrl() performed the download without maxContentLength. This vulnerability is fixed in 2026.04.4.
๐@cveNotify
GitHub
Missing File Size Limit on Upload-by-URL
### Summary
The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user...
The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user...
๐จ CVE-2026-46552
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Member Invite Reachable via Shared-Base Link
### Summary
Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base me...
Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base me...
๐จ CVE-2026-46553
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Attachment Size Limit Bypass via Upload-by-URL
### Summary
The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` against either the
remote file's advertised `Content-Length` or the decoded length of a `data:` URI,
allowing an au...
The upload-by-URL path did not enforce `NC_ATTACHMENT_FIELD_SIZE` against either the
remote file's advertised `Content-Length` or the decoded length of a `data:` URI,
allowing an au...
๐จ CVE-2026-46554
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. This vulnerability is fixed in 2026.04.4.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache. The auth middleware therefore continued to accept the deleted token until the cache entry aged out, leaving a deletion-to-revocation window of up to three days. This vulnerability is fixed in 2026.04.4.
๐@cveNotify
GitHub
Stale Auth Cache After API Token Deletion
### Summary
Deleted API tokens continued to authenticate requests until their cache entry expired,
because the auth cache was not invalidated by token value at deletion time.
### Details
The API t...
Deleted API tokens continued to authenticate requests until their cache entry expired,
because the auth cache was not invalidated by token value at deletion time.
### Details
The API t...
๐จ CVE-2026-47279
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table โ including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table โ including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the view-column entry's show flag. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
### Summary
The public shared-view relation endpoints accepted a caller-supplied column
ID without verifying that the column was visible in the shared view, so
anyone holding a share UUID could rea...
The public shared-view relation endpoints accepted a caller-supplied column
ID without verifying that the column was visible in the shared view, so
anyone holding a share UUID could rea...
๐จ CVE-2026-47375
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Postgres SQL Injection in Formula `ARRAYSORT`
### Summary
An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. ...
An authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. ...
๐จ CVE-2026-47376
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Reflected Cross-Site Scripting via Password Reset Token
### Summary
The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of charac...
The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of charac...
๐จ CVE-2026-47377
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/โฆ) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/โฆ) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Open Redirect via Hash Fragment in hashRedirect Plugin
### Summary
The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol...
The client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol...
๐จ CVE-2026-47378
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
Hidden Column Exposure in Public Shared View Endpoints
### Summary
Public shared-view endpoints exposed values from columns that the view owner had
hidden, via three independent paths: groupBy returned raw values for any column
named in the request,...
Public shared-view endpoints exposed values from columns that the view owner had
hidden, via three independent paths: groupBy returned raw values for any column
named in the request,...
๐จ CVE-2026-47379
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Plaintext Password Comparison in Shared Views
### Summary
The shared-view password check fell back to strict-equality (`===`) comparison for
legacy plaintext passwords, leaking the password's length and per-character prefix
through respons...
The shared-view password check fell back to strict-equality (`===`) comparison for
legacy plaintext passwords, leaking the password's length and per-character prefix
through respons...
๐จ CVE-2026-47380
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
๐@cveNotify
GitHub
User Enumeration via Sign-In Timing
### Summary
Sign-in response timing differed between known and unknown email addresses because
the unknown-user branch returned without performing a password hash comparison.
### Details
The unkno...
Sign-in response timing differed between known and unknown email addresses because
the unknown-user branch returned without performing a password hash comparison.
### Details
The unkno...
๐จ CVE-2026-47381
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Cross-Workspace Integration Use in Connection Test
### Summary
A user in one workspace could exercise another workspace's integration through the
`testConnection` endpoint by supplying its ID, because the integration was fetched in
a bypass sco...
A user in one workspace could exercise another workspace's integration through the
`testConnection` endpoint by supplying its ID, because the integration was fetched in
a bypass sco...
๐จ CVE-2026-47382
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and link-local addresses (including IPv4-mapped IPv6 forms and localhost) reached the driver. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Server-Side Request Forgery via Database Connection Host
### Summary
The connection-test endpoint opened a raw TCP socket to the user-supplied database
host without resolving and range-checking the destination, so private and link-local
addresses (includ...
The connection-test endpoint opened a raw TCP socket to the user-supplied database
host without resolving and range-checking the destination, so private and link-local
addresses (includ...
๐จ CVE-2026-47383
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Stored Cross-Site Scripting via Row Comments
### Summary
An authenticated commenter could store HTML in row comments that executed as script
when other users hovered over the comment in the expanded form view.
### Details
The comment wr...
An authenticated commenter could store HTML in row comments that executed as script
when other users hovered over the comment in the expanded form view.
### Details
The comment wr...
๐จ CVE-2026-47384
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
SQL Injection via Column Title in Bulk GroupBy
### Summary
An authenticated user with column-create permission can inject SQL into the bulk groupBy
endpoint by setting a column's title to a SQL fragment.
### Details
The bulk groupBy path i...
An authenticated user with column-create permission can inject SQL into the bulk groupBy
endpoint by setting a column's title to a SQL fragment.
### Details
The bulk groupBy path i...
๐จ CVE-2026-47385
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Path Traversal via SQLite Source Filename
### Summary
An authenticated user with base-create permission can attach a SQLite source pointing at
an arbitrary file on the NocoDB host, including NocoDB's own internal databases.
### Detail...
An authenticated user with base-create permission can attach a SQLite source pointing at
an arbitrary file on the NocoDB host, including NocoDB's own internal databases.
### Detail...
๐จ CVE-2026-47386
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
OAuth Authorization Code Race Condition
### Summary
Two concurrent token-exchange requests using the same OAuth authorization code could
each mint a distinct valid `(access_token, refresh_token)` pair, breaking the
single-use guarantee t...
Two concurrent token-exchange requests using the same OAuth authorization code could
each mint a distinct valid `(access_token, refresh_token)` pair, breaking the
single-use guarantee t...
๐จ CVE-2026-47387
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1.
๐@cveNotify
GitHub
Stored Cross-Site Scripting via Form View Redirect URL
### Summary
The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with ...
The shared form-view submit handler in NocoDB writes the form's `redirect_url` to `window.location.href` after a same-host check that does not validate the URL scheme. A user with ...
๐จ CVE-2026-50193
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
๐@cveNotify
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if (and only if) the service reads deeply nested (1000s of levels) JSON as JsonNode (ObjectMapper.readTree()) and writes out same (or modifided) node using JsonNode.toString(). This can consume significant amount of resources with concurrent relatively small requests (1000 nested arrays is 2kB). This vulnerability is fixed in 2.14.0.
๐@cveNotify
GitHub
Fix #3447 ยท FasterXML/jackson-databind@a1fa4ae
General data-binding package for Jackson: works on streaming API (core) implementation(s) - Fix #3447 ยท FasterXML/jackson-databind@a1fa4ae