|
911
|
4.3 |
MEDIUM
Network
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord,…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-46548
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
912
|
2.0 |
LOW
Network
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware ne…
|
CWE-863
Incorrect Authorization
|
CVE-2026-46549
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
913
|
5.4 |
MEDIUM
Network
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over p…
|
CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
|
CVE-2026-46550
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
914
|
6.5 |
MEDIUM
Network
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-le…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-46551
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
915
|
5.8 |
MEDIUM
Network
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base…
|
CWE-285
Improper Authorization
|
CVE-2026-46552
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
916
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Leng…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-46553
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
917
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not in…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-46554
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
918
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was vis…
|
CWE-284
Improper Access Control
|
CVE-2026-47279
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
919
|
6.0 |
MEDIUM
Network
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engi…
|
CWE-89
SQL Injection
|
CVE-2026-47375
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
920
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS templa…
|
CWE-79
Cross-site Scripting
|
CVE-2026-47376
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
