|
1871
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's …
|
CWE-89
SQL Injection
|
CVE-2026-47384
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1872
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB…
|
CWE-22
Path Traversal
|
CVE-2026-47385
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1873
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_…
|
CWE-362
Race Condition
|
CVE-2026-47386
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1874
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's …
|
CWE-79
Cross-site Scripting
|
CVE-2026-47387
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1875
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including a…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-47388
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1876
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and p…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-53926
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1877
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in t…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53927
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1878
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset th…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-53928
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1879
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing prot…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53930
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1880
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable …
|
CWE-441 CWE-918
Confused Deputy Server-Side Request Forgery (SSRF)
|
CVE-2026-53931
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|