CVE-2026-52888 in NocoBaseinformação

Sumário

de MITRE • 16/07/2026

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. In 2.0.59 and earlier, NocoBase @nocobase/plugin-collection-sql used the checkSQL() function in packages/plugins/@nocobase/plugin-collection-sql/src/server/utils.ts with an incomplete keyword blacklist that did not restrict PostgreSQL system catalog tables such as pg_shadow, pg_roles, and pg_stat_activity, allowing an admin-role user to read password hashes and database metadata through the SQL Collection feature. This vulnerability is fixed in 2.1.0-alpha.46.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Responsável

GitHub M

Reservar

08/06/2026

Divulgação

16/07/2026

Moderação

aceite

Entrada

VDB-379404

CPE

pronto

EPSS

0.00000

KEV

não

Atividades

muito baixo

Fontes

Do you want to use VulDB in your project?

Use the official API to access entries easily!