OsVault/npm/nocodb
npm

nocodb

50 known vulnerabilities · 0 critical · 4 high

CVE-2022-2064HIGH

Insufficient Session Expiration in NocoDB

Published Jun 14, 2022
CVE-2023-43794MEDIUM

nocodb SQL Injection vulnerability

Published Oct 17, 2023
CVE-2022-2062HIGH

NocoDB information disclosure vulnerability

Published Jun 14, 2022
CVE-2026-28398

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

Published Mar 3, 2026
CVE-2026-28357

NocoDB has Stored Cross-site Scripting via Formula Cell

Published Mar 2, 2026
CVE-2026-28399

NocoDB Vulnerable to SQL Injection via DATEADD Formula

Published Mar 3, 2026
CVE-2026-24766

NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS

Published Jan 28, 2026
CVE-2022-2079MEDIUM

Cross-site Scripting in NocoDB

Published Jun 15, 2022
CVE-2026-28361

NocoDB Missing Ownership Validation in MCP Token Operations

Published Mar 2, 2026
CVE-2026-24767

NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality

Published Jan 28, 2026
CVE-2023-5104MEDIUM

Improper Input Validation in nocodb

Published Sep 21, 2023
CVE-2022-3423HIGH

NocoDB vulnerable to Denial of Service

Published Oct 7, 2022
CVE-2026-28360

NocoDB has Plaintext Storage of Shared View Passwords

Published Mar 2, 2026
CVE-2026-24769

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Published Jan 28, 2026
CVE-2026-28359

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Published Mar 2, 2026
CVE-2026-28401

NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

Published Mar 3, 2026
CVE-2026-24768

NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter

Published Jan 28, 2026
GHSA-4w6r-5c2j-qf5f

NocoDB: Hidden Column Exposure in Public Shared View Endpoints

Published Jun 5, 2026
GHSA-8m7c-hf24-5g47

NocoDB: OAuth Authorization Code Race Condition

Published Jun 5, 2026
GHSA-6xcx-7qmg-vjfq

NocoDB: Reflected Cross-Site Scripting via Password Reset Token

Published Jun 5, 2026
GHSA-96fh-m4r8-6v9v

NocoDB: Cross-Workspace Integration Use in Connection Test

Published Jun 5, 2026
GHSA-9wgh-m22w-9xj8

NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Published Jun 5, 2026
GHSA-cxv7-gmmp-228p

NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`

Published Jun 5, 2026
GHSA-jf3g-4gwg-4h66

NocoDB: Stored Cross-Site Scripting via Row Comments

Published Jun 5, 2026
CVE-2022-2063HIGH

Improper Privilege Management in NocoDB

Published Jun 14, 2022
GHSA-jr54-jwhj-55gp

NocoDB: User Enumeration via Sign-In Timing

Published Jun 5, 2026
GHSA-rvp5-9p55-f5rp

NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin

Published Jun 5, 2026
GHSA-qhxg-623c-cfjm

NocoDB: Plaintext Password Comparison in Shared Views

Published Jun 5, 2026
CVE-2026-28397

NocoDB Vulnerable to Stored Cross-site Scripting via Comments

Published Mar 3, 2026
GHSA-wvqj-9wv4-7ff5

NocoDB: Path Traversal via SQLite Source Filename

Published Jun 5, 2026
GHSA-w43h-r5m5-p832

NocoDB: Server-Side Request Forgery via Database Connection Host

Published Jun 5, 2026
CVE-2026-28358

NocoDB Vulnerable to User Enumeration via Password Reset Endpoint

Published Mar 2, 2026
GHSA-p8wx-5f39-w3x4

NocoDB: SQL Injection via Column Title in Bulk GroupBy

Published Jun 5, 2026
CVE-2026-28396

NocoDB's Refresh Tokens Not Revoked on Password Reset

Published Mar 2, 2026
GHSA-g72g-r7m4-9x4g

NocoDB: OAuth Tokens Persist Through Security Events

Published Jun 5, 2026
GHSA-hj85-ph9q-78jg

NocoDB: Stored Cross-Site Scripting via Form View Redirect URL

Published Jun 5, 2026
GHSA-xxpj-q764-9r6q

NocoDB: Missing Ownership Check in MCP Attachment Read

Published Jun 5, 2026
GHSA-2c5x-4jgf-88mj

NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)

Published May 21, 2026
GHSA-chqv-vrj7-qffp

NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Published May 21, 2026
GHSA-8rwr-f68v-cvw6

NocoDB: Attachment Size Limit Bypass via Upload-by-URL

Published May 21, 2026
GHSA-99vc-2jx2-688p

NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

Published May 21, 2026
GHSA-9qgr-6vpg-9gh9

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

Published May 21, 2026
GHSA-f74w-272x-mqcv

NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags

Published May 21, 2026
GHSA-m5qg-rvjq-727p

NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

Published May 21, 2026
GHSA-6mhr-74x2-98v9

NocoDB: Stored Cross-Site Scripting via Secure Attachment

Published Jun 17, 2026
GHSA-gprh-27j3-g5h4

NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL

Published Jun 17, 2026
GHSA-h6vv-pcq8-7xm4

NocoDB: Server-Side Request Forgery via Base Migration URL

Published Jun 17, 2026
GHSA-hmcr-rmjq-47qr

NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint

Published Jun 17, 2026
GHSA-f76x-f9vj-92jv

NocoDB: Stale Auth Cache After API Token Deletion

Published May 21, 2026
GHSA-r989-7g3j-wjhw

NocoDB: Refresh Tokens Persist Through Password Recovery

Published Jun 17, 2026
Check your entire dependency tree at onceRun dependency scan →