Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 00:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Nocobase
Nocobase nocobase |
|
| Vendors & Products |
Nocobase
Nocobase nocobase |
Wed, 15 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. In 2.0.59 and earlier, NocoBase @nocobase/plugin-collection-sql used the checkSQL() function in packages/plugins/@nocobase/plugin-collection-sql/src/server/utils.ts with an incomplete keyword blacklist that did not restrict PostgreSQL system catalog tables such as pg_shadow, pg_roles, and pg_stat_activity, allowing an admin-role user to read password hashes and database metadata through the SQL Collection feature. This vulnerability is fixed in 2.1.0-alpha.46. | |
| Title | NocoBase: Sensitive Data Exposure via SQL Blacklist Bypass | |
| Weaknesses | CWE-184 CWE-200 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T15:12:38.696Z
Reserved: 2026-06-08T21:44:27.365Z
Link: CVE-2026-52888
Updated: 2026-07-16T14:50:22.366Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T23:45:15Z