Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-53931 — NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable …

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53930 — NocoDB: Server-Side Request Forgery via Base Migration URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing prot…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53929 — NocoDB: Stored Cross-Site Scripting via Secure Attachment

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rend…

nocodb | Remote | Misconfiguration
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-53928 — NocoDB: Refresh Tokens Persist Through Password Recovery

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset th…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-53927 — NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in t…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-53926 — NocoDB: OAuth Tokens Persist Through Security Events

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and p…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-50193 — jackson-databind: Deeply nested JsonNode throws StackOverflowError for toString()

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends …

jackson-databind | Remote | Denial of Service
Jun 23, 2026 Jun 27, 2026
Jun 23, 2026
Jun 27, 2026
2.3 LOW
CVE-2026-47388 — NocoDB: Missing Ownership Check in MCP Attachment Read

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including a…

nocodb | Remote | Authorization
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
8.4 HIGH
CVE-2026-47387 — NocoDB: Stored Cross-Site Scripting via Form View Redirect URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's …

nocodb | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-47386 — NocoDB: OAuth Authorization Code Race Condition

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-47385 — NocoDB: Path Traversal via SQLite Source Filename

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB…

nocodb | Remote | Path Traversal
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-47384 — NocoDB: SQL Injection via Column Title in Bulk GroupBy

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's …

nocodb | Remote | Injection
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
7.4 HIGH
CVE-2026-47383 — NocoDB: Stored Cross-Site Scripting via Row Comments

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the co…

nocodb | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-47382 — NocoDB: Server-Side Request Forgery via Database Connection Host

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the connection-test endpoint opened a raw TCP socket to the user-supplied database host without resolving and range-chec…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.9 MEDIUM
CVE-2026-47381 — NocoDB: Cross-Workspace Integration Use in Connection Test

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying …

nocodb | Remote | Authorization
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.3 MEDIUM
CVE-2026-47380 — NocoDB: User Enumeration via Sign-In Timing

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned with…

nocodb | Remote | Authentication
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.9 MEDIUM
CVE-2026-47379 — NocoDB: Plaintext Password Comparison in Shared Views

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the…

nocodb | Remote | Information Disclosure
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
6.9 MEDIUM
CVE-2026-47378 — NocoDB: Hidden Column Exposure in Public Shared View Endpoints

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: gr…

nocodb | Remote | Information Disclosure
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-47377 — NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment afte…

nocodb | Remote | Server-Side Request Forgery
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
5.1 MEDIUM
CVE-2026-47376 — NocoDB: Reflected Cross-Site Scripting via Password Reset Token

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS templa…

nocodb | Remote | Cross-Site Scripting
Jun 23, 2026 Jun 25, 2026
Jun 23, 2026
Jun 25, 2026
Showing 20 of 7989 Results