| CVE ID | 标题 | 严重程度 | 情报来源 | |||
|---|---|---|---|---|---|---|
| Improper Privilege Management in NocoDB | HIGH | 8.8v3.1 | 4.40 | — | 2022. 06. 14. | |
| Insufficient Session Expiration in NocoDB | HIGH |
| 8.8v3.1 |
4.40 |
| — |
| 2022. 06. 14. |
| CVE-2026-47387 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in th | HIGH | 8.4v4.0 | 4.20 | — | 2026. 06. 23. |
| CVE-2022-2062 | NocoDB information disclosure vulnerability | HIGH | 7.5v3.1 | 3.75 | — | 2022. 06. 14. |
| CVE-2026-47383 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, | HIGH | 7.4v4.0 | 3.70 | — | 2026. 06. 23. |
| CVE-2026-53931 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the underlying request is for another file. This vulnerability is fixed in 2026.05.1. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 06. 23. |
| CVE-2026-47381 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. This vulnerability is fixed in 2026.05.1. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 06. 23. |
| CVE-2026-47379 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 06. 23. |
| CVE-2026-47378 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data list accepted arbitrary link-column IDs from other tables in the same base. This vulnerability is fixed in 2026.04.1. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 06. 23. |
| CVE-2026-47279 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. publicMmList, publicHmList, and relDataList already ensured that the requested column belonged to the view's model, but did not check the vi | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 06. 23. |
| CVE-2026-46551 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causing denial of service. In packages/nocodb/src/services/attachments.service.ts, the HEAD probe read content-length but never compared it to NC | MEDIUM | 6.5v3.1 | 3.25 | — | 2026. 06. 23. |
| CVE-2026-53928 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new acce | MEDIUM | 6.3v4.0 | 3.15 | — | 2026. 06. 23. |
| CVE-2026-53926 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1. | MEDIUM | 6.3v4.0 | 3.15 | — | 2026. 06. 23. |
| CVE-2026-47386 | NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1. | MEDIUM | 6.3v4.0 | 3.15 | — | 2026. 06. 23. |
| CVE-2026-47380 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1. | MEDIUM | 6.3v4.0 | 3.15 | — | 2026. 06. 23. |
| CVE-2026-46547 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1. | MEDIUM | 6.1v3.1 | 3.05 | — | 2026. 06. 23. |
| CVE-2025-27506 | NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page | — | 6.1v3.1 | 3.05 | — | 2025. 03. 06. |
| CVE-2026-47375 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for | MEDIUM | 6.0v3.1 | 3.00 | — | 2026. 06. 23. |
| CVE-2026-46552 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions | MEDIUM | 5.8v3.1 | 2.90 | — | 2026. 06. 23. |
| CVE-2026-46550 | NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1. | MEDIUM | 5.4v3.1 | 2.70 | — | 2026. 06. 23. |