| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system.
This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, so URLs whose query string ended in .csv satisfies the gate even though the
underlying request is for another file. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint (axiosRequestMake) accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, a low-privilege MCP token holder with knowledge of an attachment path could read any file in shared storage, including attachments belonging to other bases and workspaces, because the MCP readAttachment tool did not verify the file's ownership. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid (access_token, refresh_token) pair, breaking the single-use guarantee that PKCE relies on. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column_name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column_name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped. This vulnerability is fixed in 2026.05.1. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1. |
| An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access |
| FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating rel_id when rel_type=order, an authenticated client can create a support ticket that references another client's order they do not own. The ticketCreateForClient() method accepted rel_id without verifying order ownership for non-upgrade tasks, allowing clients to link a new ticket to another client's order by crafting the request. No cron task automatically processes cancel/upgrade requests from ticket relations; staff action is required. This affects integrity and confidentiality: staff could be misled into acting on the wrong order (e.g., cancellation or upgrade requests). While there is no client-to-client order data exposure, order IDs may appear in ticket context. This issue has been fixed in version 0.8.0. |
| FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details
In ServiceTransaction::getSearchQuery() and Order\Service::getSearchQuery(), OR-based search/action filters were appended without grouping, allowing SQL operator precedence to evaluate OR clauses independently of the enforced client_id constraint. Crafted requests could therefore return records and metadata belonging to other clients, including identifiers, amounts, status, timestamps, and related fields. This issue was fixed in version 0.8.0. |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1. |
| An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiNAC-F 7.6.3 through 7.6.5, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. |
| An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges. |
| A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account. |
| Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4. |
