CVE-2026-41640 Scanner

NocoBase is a platform designed to offer an intuitive interface for building data-centric applications. It is primarily used by developers looking to create custom applications without extensive coding. This makes it a popular choice for businesses seeking to streamline their application development process while ensuring flexibility in application design. The software is deployed in various environments, including corporate settings, to facilitate efficient data management and application customization. As an open-source platform, it encourages community collaboration and extension of its functionalities. It aims to simplify application building while maintaining a robust infrastructure for scalability.

SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally occurs when user input is not properly sanitized, allowing malicious users to execute arbitrary SQL code. This type of attack can lead to unauthorized viewing of data, deletion of data, and in some cases, gaining full control of the database server. In NocoBase, this vulnerability permits an authenticated attacker to exploit database manipulation capabilities by injecting malicious SQL via the queryParentSQL function. It highlights a critical need for proper validation and parameterized queries to safeguard against malicious manipulations.

The SQL Injection vulnerability in NocoBase affects the @nocobase/database package, particularly within the queryParentSQL function of a TypeScript file responsible for constructing recursive SQL queries. The issue arises because user-controlled input, specifically primary key values, is directly concatenated to the SQL WHERE IN clause without utilizing parameters. This lack of parameterization allows attackers with certain permissions to craft inputs that alter SQL execution flow, leading to unwanted data retrieval or modification. The crafted SQL injection can exfiltrate data or modify the database unpredictably, given the attacker's goals and access.

If exploited, this SQL Injection vulnerability could have significant impacts, such as unauthorized data access and manipulation. An attacker could retrieve sensitive information, delete critical data, or even gain control over the database server. This, in turn, may lead to severe data breaches, financial loss, or reputation damage to organizations relying on NocoBase. Furthermore, the potential manipulation of data integrity poses risks to business continuity, especially for companies whose operations heavily rely on real-time data processing and applications.

REFERENCES

• https://github.com/advisories/GHSA-4948-f92q-f432
• https://nvd.nist.gov/vuln/detail/CVE-2026-41640