|
921
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment afte…
|
CWE-601
Open Redirect
|
CVE-2026-47377
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
922
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: gr…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-47378
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
923
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the…
|
CWE-200
CWE-203
Information Exposure
Information Exposure Through Discrepancy
|
CVE-2026-47379
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
924
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned with…
|
CWE-208
CWE-307
Information Exposure Through Timing Discrepancy
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-47380
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
925
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying …
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-47381
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
926
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-chec…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-47382
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
927
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the co…
|
CWE-79
Cross-site Scripting
|
CVE-2026-47383
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
928
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's …
|
CWE-89
SQL Injection
|
CVE-2026-47384
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
929
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB…
|
CWE-22
Path Traversal
|
CVE-2026-47385
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
930
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_…
|
CWE-362
Race Condition
|
CVE-2026-47386
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
