Vendor

Nocobase

2 briefs RSS

NocoBase SQL Injection via Missing Validation on Update Endpoint

A SQL injection vulnerability exists in nocobase plugin-collection-sql versions 2.0.32 and earlier due to missing validation on the sqlCollection:update endpoint, allowing attackers with collection management permissions to execute arbitrary SQL queries and exfiltrate data.

plugin-collection-sql sql-injection web-application nocobase

2r 1t Jan 24, 2024

critical advisory

NocoBase SQL Injection via Recursive Eager Loading

2 rules 4 TTPs

NocoBase versions 2.0.32 and earlier are vulnerable to SQL injection due to string concatenation in the `queryParentSQL()` function, allowing attackers with record creation permissions to inject arbitrary SQL and potentially extract sensitive information or execute commands.

NocoBase sqli cve-2026-41640 injection

2r 4t Jan 3, 2024