{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6224/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6224"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nocobase","rce","sandbox-escape","cve-2026-6224"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-6224, affects NocoBase plugin-workflow-javascript versions up to 2.0.23. This vulnerability resides in the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within the \u003ccode\u003epackages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e file. By manipulating this function, an attacker can escape the intended sandbox environment. Publicly available exploits exist, increasing the risk of active exploitation. This vulnerability allows for remote, unauthenticated exploitation, making it a significant threat to systems running the affected NocoBase plugin. The vendor has not responded to vulnerability disclosure attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious request to the NocoBase server targeting the \u003ccode\u003eplugin-workflow-javascript\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe request is processed by the vulnerable \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within \u003ccode\u003eVm.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the identified manipulation technique to bypass the intended sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the underlying server environment.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary JavaScript code within the server context.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain further control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through creating new user accounts or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, leading to potential data theft, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6224 can lead to complete compromise of the NocoBase server. An attacker can gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt normal operations. Given the nature of NocoBase as a data management platform, the impact could include widespread data breaches and significant reputational damage. Because exploits are publicly available, organizations using vulnerable versions of the plugin are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NocoBase plugin-workflow-javascript to a patched version beyond 2.0.23 to remediate CVE-2026-6224.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious NocoBase Workflow JavaScript Activity\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to prevent malicious code injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-nocobase-rce/","summary":"A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.","title":"NocoBase plugin-workflow-javascript Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nocobase-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6224","version":"https://jsonfeed.org/version/1.1"}