|
931
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's …
|
CWE-79
Cross-site Scripting
|
CVE-2026-47387
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
932
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including a…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-47388
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
933
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and p…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-53926
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
934
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in t…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53927
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
935
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset th…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-53928
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
936
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing prot…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53930
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
937
|
- |
|
-
|
-
|
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable …
|
CWE-441
CWE-918
Confused Deputy
Server-Side Request Forgery (SSRF)
|
CVE-2026-53931
|
2026-06-25 23:21 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
938
|
8.5 |
HIGH
Network
|
-
|
-
|
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method pas…
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-45687
|
2026-06-25 23:19 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
939
|
8.3 |
HIGH
Network
|
-
|
-
|
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, …
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-47267
|
2026-06-25 23:19 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
940
|
- |
|
-
|
-
|
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or …
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-49277
|
2026-06-25 23:19 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
