Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21148
Total
1520
Critical
6441
High
6722
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-47387 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href … | Jun 23, 2026 |
| CVE-2026-47386 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a … | Jun 23, 2026 |
| CVE-2026-47385 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an … | Jun 23, 2026 |
| CVE-2026-47384 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint … | Jun 23, 2026 |
| CVE-2026-47383 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when … | Jun 23, 2026 |
| CVE-2026-47382 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without … | Jun 23, 2026 |
| CVE-2026-47381 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint … | Jun 23, 2026 |
| CVE-2026-47380 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch … | Jun 23, 2026 |
| CVE-2026-47379 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, … | Jun 23, 2026 |
| CVE-2026-47378 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via … | Jun 23, 2026 |
| CVE-2026-47377 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash … | Jun 23, 2026 |
| CVE-2026-47376 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in … | Jun 23, 2026 |
| CVE-2026-47375 | MEDIUM | 6.0 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL … | Jun 23, 2026 |
| CVE-2026-47279 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the … | Jun 23, 2026 |
| CVE-2026-46554 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the … | Jun 23, 2026 |
| CVE-2026-46553 | UNKNOWN | — | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length … | Jun 23, 2026 |
| CVE-2026-46552 | MEDIUM | 5.8 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the … | Jun 23, 2026 |
| CVE-2026-46551 | MEDIUM | 6.5 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the … | Jun 23, 2026 |
| CVE-2026-46550 | MEDIUM | 5.4 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag … | Jun 23, 2026 |
| CVE-2026-46549 | LOW | 2.0 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the … | Jun 23, 2026 |
| CVE-2026-46548 | MEDIUM | 4.3 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, … | Jun 23, 2026 |
| CVE-2026-46547 | MEDIUM | 6.1 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and … | Jun 23, 2026 |
| CVE-2026-41862 | HIGH | 8.8 | Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which … | Jun 23, 2026 |
| CVE-2026-23513 | UNKNOWN | — | FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients … | Jun 23, 2026 |
| CVE-2026-12892 | MEDIUM | 4.4 | A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, … | Jun 23, 2026 |