nocodb (npm) security advisories

UNKNOWN

npm

CVE-2026-53926

NocoDB: OAuth Tokens Persist Through Security Events

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47386

NocoDB: OAuth Authorization Code Race Condition

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47388

NocoDB: Missing Ownership Check in MCP Attachment Read

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47385

NocoDB: Path Traversal via SQLite Source Filename

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47387

NocoDB: Stored Cross-Site Scripting via Form View Redirect URL

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47384

NocoDB: SQL Injection via Column Title in Bulk GroupBy

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47383

NocoDB: Stored Cross-Site Scripting via Row Comments

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47382

NocoDB: Server-Side Request Forgery via Database Connection Host

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47381

NocoDB: Cross-Workspace Integration Use in Connection Test

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47378

NocoDB: Hidden Column Exposure in Public Shared View Endpoints

Jun 5, 2026

MEDIUM 6.0

npm

CVE-2026-47375

NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47380

NocoDB: User Enumeration via Sign-In Timing

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47376

NocoDB: Reflected Cross-Site Scripting via Password Reset Token

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47379

NocoDB: Plaintext Password Comparison in Shared Views

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47377

NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin

Jun 5, 2026

UNKNOWN

npm

CVE-2026-47279

NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Jun 5, 2026

MEDIUM 6.1

npm

CVE-2026-46547

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

May 21, 2026

MEDIUM 5.4

npm

CVE-2026-46550

NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags

May 21, 2026

MEDIUM 4.3

npm

CVE-2026-46548

NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)

May 21, 2026

UNKNOWN

npm

CVE-2026-46554

NocoDB: Stale Auth Cache After API Token Deletion

May 21, 2026

UNKNOWN

npm

CVE-2026-46553

NocoDB: Attachment Size Limit Bypass via Upload-by-URL

May 21, 2026

MEDIUM 6.5

npm

CVE-2026-46551

NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

May 21, 2026

MEDIUM 5.8

npm

CVE-2026-46552

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

May 21, 2026

LOW 2.0

npm

CVE-2026-46549

NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

May 21, 2026

UNKNOWN

npm

CVE-2026-28357

NocoDB has Stored Cross-site Scripting via Formula Cell

Mar 2, 2026

UNKNOWN

npm

CVE-2026-28396

NocoDB's Refresh Tokens Not Revoked on Password Reset

Mar 2, 2026

UNKNOWN

npm

CVE-2026-28361

NocoDB Missing Ownership Validation in MCP Token Operations

Mar 2, 2026

UNKNOWN

npm

CVE-2026-28397

NocoDB Vulnerable to Stored Cross-site Scripting via Comments

Mar 3, 2026

UNKNOWN

npm

CVE-2026-28359

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Mar 2, 2026

UNKNOWN

npm

CVE-2026-28360

NocoDB has Plaintext Storage of Shared View Passwords

Mar 2, 2026

UNKNOWN

npm

CVE-2026-28398

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

Mar 3, 2026

UNKNOWN

npm

CVE-2026-28358

NocoDB Vulnerable to User Enumeration via Password Reset Endpoint

Mar 2, 2026

UNKNOWN

npm

CVE-2026-28401

NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

Mar 3, 2026

UNKNOWN

npm

CVE-2026-28399

NocoDB Vulnerable to SQL Injection via DATEADD Formula

Mar 3, 2026

MEDIUM 4.9

npm

CVE-2026-24767

NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality

Jan 28, 2026

MEDIUM 4.9

npm

CVE-2026-24766

NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

Jan 28, 2026

UNKNOWN

npm

CVE-2026-24768

NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter

Jan 28, 2026

UNKNOWN

npm

CVE-2026-24769

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Jan 28, 2026

MEDIUM 6.1

npm

CVE-2025-27506

NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

Mar 6, 2025

MEDIUM 6.5

npm

CVE-2023-50718

NocoDB SQL Injection vulnerability

May 13, 2024

MEDIUM 5.7

npm

CVE-2023-50717

NocoDB Allows Preview of Files with Dangerous Content

May 13, 2024

HIGH 7.3

npm

CVE-2023-49781

NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue

May 13, 2024

MEDIUM 6.5

npm

CVE-2023-5104

Improper Input Validation in nocodb

Sep 21, 2023

MEDIUM 6.5

npm

CVE-2023-43794

nocodb SQL Injection vulnerability

Oct 17, 2023

MEDIUM 6.5

npm

CVE-2022-3423

NocoDB vulnerable to Denial of Service

Oct 7, 2022

MEDIUM 5.4

npm

CVE-2022-2079

Cross-site Scripting in NocoDB

Jun 15, 2022

HIGH 8.8

npm

CVE-2022-2064

Insufficient Session Expiration in NocoDB

Jun 14, 2022

HIGH 8.8

npm

CVE-2022-2063

Improper Privilege Management in NocoDB

Jun 14, 2022

HIGH 7.5

npm

CVE-2022-2062

NocoDB information disclosure vulnerability

Jun 14, 2022

nocodb

Vulnerabilities

NocoDB: OAuth Tokens Persist Through Security Events

NocoDB: OAuth Authorization Code Race Condition

NocoDB: Missing Ownership Check in MCP Attachment Read

NocoDB: Path Traversal via SQLite Source Filename

NocoDB: Stored Cross-Site Scripting via Form View Redirect URL

NocoDB: SQL Injection via Column Title in Bulk GroupBy

NocoDB: Stored Cross-Site Scripting via Row Comments

NocoDB: Server-Side Request Forgery via Database Connection Host

NocoDB: Cross-Workspace Integration Use in Connection Test

NocoDB: Hidden Column Exposure in Public Shared View Endpoints

NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`

NocoDB: User Enumeration via Sign-In Timing

NocoDB: Reflected Cross-Site Scripting via Password Reset Token

NocoDB: Plaintext Password Comparison in Shared Views

NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin

NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags

NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)

NocoDB: Stale Auth Cache After API Token Deletion

NocoDB: Attachment Size Limit Bypass via Upload-by-URL

NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

NocoDB has Stored Cross-site Scripting via Formula Cell

NocoDB's Refresh Tokens Not Revoked on Password Reset

NocoDB Missing Ownership Validation in MCP Token Operations

NocoDB Vulnerable to Stored Cross-site Scripting via Comments

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

NocoDB has Plaintext Storage of Shared View Passwords

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

NocoDB Vulnerable to User Enumeration via Password Reset Endpoint

NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

NocoDB Vulnerable to SQL Injection via DATEADD Formula

NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality

NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

NocoDB SQL Injection vulnerability

NocoDB Allows Preview of Files with Dangerous Content

NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue

Improper Input Validation in nocodb

nocodb SQL Injection vulnerability

NocoDB vulnerable to Denial of Service

Cross-site Scripting in NocoDB

Insufficient Session Expiration in NocoDB

Improper Privilege Management in NocoDB

NocoDB information disclosure vulnerability

Start Securing