nocodb
npm44 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting nocodbpage 1 of 1
- CVE-2022-2062HIGHCVSS 7.5EG 7.5✓ Fixed in 0.91.72022-06-13
Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+.
- CVE-2022-2063HIGHCVSS 8.8EG 8.8✓ Fixed in 0.91.82022-06-13
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.
- CVE-2022-2064HIGHCVSS 8.8EG 8.8✓ Fixed in 0.91.92022-06-13
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.
- CVE-2022-2079MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.91.92022-06-14
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+.
- CVE-2022-3423HIGHCVSS 7.3EG 7.3✓ Fixed in 0.92.02022-10-07
Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0.
- CVE-2023-43794MEDIUMCVSS 4.9EG 6.5✓ Fixed in 0.111.02023-10-17
Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted …
- CVE-2023-49781HIGHCVSS 7.3EG 7.3✓ Fixed in 0.202.92024-05-14
NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays…
- CVE-2023-50717MEDIUMCVSS 5.7EG 5.7✓ Fixed in 0.202.102024-05-14
NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts ca…
- CVE-2023-50718MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.202.102024-05-14
NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result…
- CVE-2023-5104MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.96.02023-09-21
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
- CVE-2025-27506MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.258.02025-03-06
NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Refle…
- CVE-2026-24766MEDIUMCVSS 4.9EG 4.9✓ Fixed in 0.301.02026-01-28
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all datab…
- CVE-2026-24767MEDIUMCVSS 4.9EG 4.9✓ Fixed in 0.301.02026-01-28
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subseq…
- CVE-2026-24768MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.301.02026-01-28
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. Du…
- CVE-2026-24769CRITICALCVSS 9.0EG 9.0✓ Fixed in 0.301.02026-01-28
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files c…
- CVE-2026-46547MEDIUMCVSS 6.1EG 6.12026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a>…
- CVE-2026-46548MEDIUMCVSS 4.3EG 4.32026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / …
- CVE-2026-46549LOWCVSS 2.0EG 2.02026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token iss…
- CVE-2026-46550MEDIUMCVSS 5.4EG 5.42026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepte…
- CVE-2026-46551MEDIUMCVSS 6.5EG 6.52026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An …
- CVE-2026-46552MEDIUMCVSS 5.8EG 5.82026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker c…
- CVE-2026-46553LOWCVSS 2.1EG 2.12026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI,…
- CVE-2026-46554LOWCVSS 2.3EG 2.32026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion tim…
- CVE-2026-47279MEDIUMCVSS 6.9EG 6.9✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holdi…
- CVE-2026-47375MEDIUMCVSS 6.0EG 6.0✓ Fixed in 2026.04.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument o…
- CVE-2026-47376MEDIUMCVSS 5.1EG 5.1✓ Fixed in 2026.04.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fix…
- CVE-2026-47377MEDIUMCVSS 5.1EG 5.1✓ Fixed in 2026.04.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/')…
- CVE-2026-47378MEDIUMCVSS 6.9EG 6.9✓ Fixed in 2026.04.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column…
- CVE-2026-47379MEDIUMCVSS 6.9EG 6.9✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character pre…
- CVE-2026-47380MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2026.04.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash compariso…
- CVE-2026-47381MEDIUMCVSS 6.9EG 6.9✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetc…
- CVE-2026-47382MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-checking the destination, so private and lin…
- CVE-2026-47383HIGHCVSS 7.4EG 7.4✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The com…
- CVE-2026-47384MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupB…
- CVE-2026-47385MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal d…
- CVE-2026-47386MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the…
- CVE-2026-47387HIGHCVSS 8.4EG 8.4✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href aft…
- CVE-2026-47388LOWCVSS 2.3EG 2.3✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and …
- CVE-2026-53926MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2026.05.12026-06-05
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh t…
- CVE-2026-53927MEDIUMCVSS 5.1EG 5.12026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled reg…
- CVE-2026-53928MEDIUMCVSS 6.3EG 6.32026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwor…
- CVE-2026-53929MEDIUMCVSS 5.1EG 5.12026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin inste…
- CVE-2026-53930MEDIUMCVSS 5.1EG 5.12026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abu…
- CVE-2026-53931MEDIUMCVSS 6.9EG 6.92026-06-17
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension a…
Check whether nocodb is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for nocodb CVEs against the assets you own.
Start Free Scan →