These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-53931 is a vulnerability in NocoDB, a software for building databases as spreadsheets. The spreadsheet-import endpoint, axiosRequestMake, could be used as a generic HTTP proxy before version 2026.05.1. This endpoint was reachable unauthenticated and had a URL-extension allowlist that was a regex tested against the full URL string. This allowed URLs whose query string ended in .csv to bypass the g [truncated]
A vulnerability was discovered in NocoDB, a software for building databases as spreadsheets. The base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse (file:, ftp:, etc.) and probing of internal HTTP destinations. This issue was fixed in version 2026.05.1. The vulnerability has a CVSS score of 5.1 and [truncated]
CVE-2026-53929 is a vulnerability in NocoDB, software for building databases as spreadsheets. Prior to version 2026.05.1, when NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. This occurred due to a mismatch in how response-header overrides were stored and read. The signed at [truncated]
CVE-2026-53927 is a vulnerability in the NocoDB software, which is used for building databases as spreadsheets. The spreadsheet-fetch endpoint (axiosRequestMake) in NocoDB accepted URLs with permitted extensions anywhere in the string, bypassing a hand-rolled regex blocklist. This blocklist omitted certain IP address ranges, including 127.0.0.0/8 and 169.254.0.0/16. As a result, an attacker could craft a [truncated]
CVE-2026-47387 is a vulnerability in NocoDB, a software for building databases as spreadsheets. Prior to version 2026.05.1, the shared form-view submit handler in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. This allows an attacker with editor role (or above) on any base to plant a JavaScript URL in the form's redirect_url. Wh [truncated]
CVE-2026-47386 is a vulnerability in NocoDB, software for building databases as spreadsheets. Prior to version 2026.05.1, the software allowed two concurrent token-exchange requests using the same OAuth authorization code to each mint a distinct valid (access_token, refresh_token) pair. This breaks the single-use guarantee that Proof Key for Code Exchange (PKCE) relies on. The vulnerability has a CVSS sco [truncated]
CVE-2026-47385 is a vulnerability in NocoDB, software for building databases as spreadsheets. An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The vulnerability is fixed in version 2026.05.1. Users should update to the latest version to prevent exploitation. The CVSS score for this vuln [truncated]
CVE-2026-47384 is a SQL injection vulnerability in NocoDB, a software for building databases as spreadsheets. An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The vulnerability exists because the bulk groupBy path in group-by.ts builds database-specific knex.raw() aggregations that interpolate the request's col [truncated]
CVE-2026-47383 is a HIGH-severity vulnerability in NocoDB, a software for building databases as spreadsheets. An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The vulnerability is due to the comment write paths persisting the raw comment body with no server-side sanitisation. The expanded-form sidebar t [truncated]
CVE-2026-47382 is a vulnerability in NocoDB, a software for building databases as spreadsheets. The connection-test endpoint in NocoDB prior to version 2026.05.1 opened a raw TCP socket to the user-supplied database host without proper resolution and range checking. This allowed private and link-local addresses, including IPv4-mapped IPv6 forms and localhost, to be reached by the driver. The vulnerability [truncated]
CVE-2026-47378 is a vulnerability in NocoDB, software for building databases as spreadsheets. Prior to version 2026.04.1, public shared-view endpoints exposed values from columns that the view owner had hidden. This occurred via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and [truncated]
CVE-2026-47376 is a vulnerability in NocoDB, software for building databases as spreadsheets. The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. This allowed a crafted token to break out of the JS string context and execute attacker-controlled script in the NocoDB origin. The vulnerability was fixed in 2026.04.1 and requires only tha [truncated]
CVE-2026-47279 is a vulnerability in NocoDB, software for building databases as spreadsheets. Prior to version 2026.05.1, public shared-view relation endpoints did not verify that a caller-supplied column ID was visible in the shared view. This allowed anyone with a share UUID to read links from any LTAR column, including hidden columns. The vulnerability was fixed in version 2026.05.1. NocoDB's public sh [truncated]
CVE-2026-46550 is a medium-severity vulnerability in NocoDB, a software for building databases as spreadsheets. The vulnerability involves the refresh-token cookie, which was set with httpOnly: true but missing both the secure flag and the sameSite attribute. This omission allows the cookie to be intercepted on the network over plain HTTP and attached to cross-site POSTs, enabling CSRF against the token-r [truncated]
CVE-2026-46547 is a reflected XSS vulnerability in NocoDB, a software for building databases as spreadsheets. The vulnerability exists in the Page Leaving Warning page, where the ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in version 2026.04.1. The CVSS score for this [truncated]