nodebb
npm14 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting nodebbpage 1 of 1
- CVE-2015-3296MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.702017-09-21
Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript: or (2) data: URLs.
- CVE-2015-9286MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.8.22019-04-30
Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.
- CVE-2021-43786CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.18.52021-11-29
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. User…
- CVE-2021-43787CRITICALCVSS 9.0EG 9.0✓ Fixed in 1.18.52021-11-29
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing…
- CVE-2021-43788MEDIUMCVSS 5.0EG 5.0✓ Fixed in 1.18.52021-11-29
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched …
- CVE-2022-36045CRITICALCVSS 9.0EG 9.0✓ Fixed in 2.0.12022-08-31
vulnerable: 2.0.0
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in es…
- CVE-2022-36076HIGHCVSS 8.8EG 8.8✓ Fixed in 1.17.22022-09-02
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added …
- CVE-2022-3978MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2.5.82022-11-13
A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack re…
- CVE-2022-46164CRITICALCVSS 9.4EG 9.4✓ Fixed in 2.6.12022-12-05
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerabi…
- CVE-2023-26045CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.8.72023-07-24
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specia…
- CVE-2023-2850MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.8.132023-07-25
NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this vulnerability allows certain user information to be extracted by attacker.
- CVE-2024-29316MEDIUMCVSS 6.3EG 6.3✓ Fixed in 3.6.72024-03-28
NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Admin group via "isadmin":true.
- CVE-2024-57041MEDIUMCVSS 4.6EG 4.6✓ Fixed in 3.11.12025-01-24
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.
- CVE-2025-50979HIGHCVSS 8.6EG 8.62025-08-27
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind …
Check whether nodebb is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for nodebb CVEs against the assets you own.
Start Free Scan →