from 0, < 0.91.9
from 0, < 0.91.8
from 0, < 0.91.7
HIGH7.3NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
from 0, < 0.202.9
MEDIUM6.5NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
from 0, <= 0.301.3
MEDIUM6.5NocoDB SQL Injection vulnerability
from 0, < 0.202.10
MEDIUM6.5nocodb SQL Injection vulnerability
from 0, < 0.111.0
MEDIUM6.5Improper Input Validation in nocodb
from 0, < 0.96.0
MEDIUM6.5NocoDB vulnerable to Denial of Service
from 0, < 0.92.0
MEDIUM6.1NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
from 0, <= 0.301.3
MEDIUM6.1NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
from 0, < 0.258.0
MEDIUM6.0NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`
from 0, < 2026.04.1
MEDIUM5.8NocoDB: Shared-base link access can invite arbitrary users as persistent base members
from 0, <= 0.301.3
MEDIUM5.7NocoDB Allows Preview of Files with Dangerous Content
>= 0.202.6, < 0.202.10
MEDIUM5.4NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
from 0, <= 0.301.3
MEDIUM5.4Cross-site Scripting in NocoDB
from 0, < 0.91.9
MEDIUM4.9NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
from 0, < 0.301.0
MEDIUM4.9NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality
from 0, < 0.301.0
MEDIUM4.3NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
from 0, <= 0.301.3
LOW2.0NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
from 0, <= 0.301.3
—NocoDB: Missing Ownership Check in MCP Attachment Read
from 0, < 2026.05.1
—NocoDB: Stored Cross-Site Scripting via Form View Redirect URL
from 0, < 2026.05.1
—NocoDB: OAuth Authorization Code Race Condition
from 0, < 2026.05.1
—NocoDB: Path Traversal via SQLite Source Filename
from 0, < 2026.05.1
—NocoDB: SQL Injection via Column Title in Bulk GroupBy
from 0, < 2026.05.1
—NocoDB: Stored Cross-Site Scripting via Row Comments
from 0, < 2026.05.1
—NocoDB: Server-Side Request Forgery via Database Connection Host
from 0, < 2026.05.1
—NocoDB: Cross-Workspace Integration Use in Connection Test
from 0, < 2026.05.1
—NocoDB: User Enumeration via Sign-In Timing
from 0, < 2026.04.1
—NocoDB: Plaintext Password Comparison in Shared Views
from 0, < 2026.05.1
—NocoDB: Hidden Column Exposure in Public Shared View Endpoints
from 0, < 2026.04.1
—NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin
from 0, < 2026.04.1
—NocoDB: Reflected Cross-Site Scripting via Password Reset Token
from 0, < 2026.04.1
—NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints
from 0, < 2026.05.1
—NocoDB: Stale Auth Cache After API Token Deletion
from 0, <= 0.301.3
—NocoDB: Attachment Size Limit Bypass via Upload-by-URL
from 0, <= 0.301.3
—NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells
from 0, < 0.301.3
—NocoDB Vulnerable to Stored Cross-site Scripting via Comments
from 0, < 0.301.3
—NocoDB Vulnerable to SQL Injection via DATEADD Formula
from 0, < 0.301.3
—NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells
from 0, < 0.301.3
—NocoDB Missing Ownership Validation in MCP Token Operations
from 0, < 0.301.3
—NocoDB's Refresh Tokens Not Revoked on Password Reset
from 0, < 0.301.3
—NocoDB has Plaintext Storage of Shared View Passwords
from 0, < 0.301.3
—NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field
from 0, < 0.301.3
—NocoDB Vulnerable to User Enumeration via Password Reset Endpoint
from 0, < 0.301.3
—NocoDB has Stored Cross-site Scripting via Formula Cell
from 0, < 0.301.3
—NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter
from 0, < 0.301.0
—NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload
from 0, < 0.301.0