๐Ÿ” CVE Alert

CVE-2026-55410

MEDIUM 6.7

NocoBase backup restore schema name allows command injection

CVSS Score
6.7
EPSS Score
0.0%
EPSS Percentile
0th

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.1.19, NocoBase @nocobase/plugin-backups restored PostgreSQL backups by interpolating the database.schema value from _metadata.json into shell command strings executed with Node.js child_process.exec(), allowing a backup-management user restoring a crafted backup to execute commands as the NocoBase server process. This vulnerability is fixed in 2.1.19.

CWE CWE-78
Vendor nocobase
Product nocobase
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for nocobase nocobase

Be the first to know when new medium vulnerabilities affecting nocobase nocobase are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Affected Versions

nocobase / nocobase
< 2.1.19

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/nocobase/nocobase/security/advisories/GHSA-p853-83gj-wjj3 github.com: https://github.com/nocobase/nocobase/commit/0e1aba1b7b112ffc841588963f7343c00edd9806 github.com: https://github.com/nocobase/nocobase/releases/tag/v2.1.19