CVE-2026-34825

UNKNOWN 0.0

NocoBase Has SQL Injection via template variable substitution in workflow SQL node

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.

CWE	CWE-89
Vendor	nocobase
Product	nocobase
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for nocobase nocobase

Be the first to know when new unknown vulnerabilities affecting nocobase nocobase are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nocobase / nocobase

< 2.0.30

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j github.com: https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c github.com: https://github.com/nocobase/nocobase/releases/tag/v2.0.30