Tag

Nocobase

4 briefs RSS

NocoBase 2.0.27 VM Sandbox Escape Vulnerability

A local exploit has been published for NocoBase 2.0.27, detailing a VM Sandbox Escape vulnerability, increasing the risk to unpatched systems.

NocoBase 2.0.27 vm-sandbox-escape local-exploit nocobase

2r May 7, 2026

critical threat

NocoBase plugin-workflow-javascript Sandbox Escape Vulnerability

2 rules 1 TTP 1 CVE

A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.

exploited nocobase rce sandbox-escape cve-2026-6224

2r 1t 1c Apr 14, 2026

high advisory

NocoBase SQL Injection via Missing Validation on Update Endpoint

2 rules 1 TTP

A SQL injection vulnerability exists in nocobase plugin-collection-sql versions 2.0.32 and earlier due to missing validation on the sqlCollection:update endpoint, allowing attackers with collection management permissions to execute arbitrary SQL queries and exfiltrate data.

plugin-collection-sql sql-injection web-application nocobase

2r 1t Jan 24, 2024

critical advisory

NocoBase SQL Injection via Recursive Eager Loading

2 rules 4 TTPs

NocoBase versions 2.0.32 and earlier are vulnerable to SQL injection due to string concatenation in the `queryParentSQL()` function, allowing attackers with record creation permissions to inject arbitrary SQL and potentially extract sensitive information or execute commands.

NocoBase sqli cve-2026-41640 injection

2r 4t Jan 3, 2024