CVE-2026-6224

HIGH 7.3

nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-265 CWE-264
Vendor	nocobase
Product	plugin-workflow-javascript
Published	Apr 13, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for nocobase plugin-workflow-javascript

Be the first to know when new high vulnerabilities affecting nocobase plugin-workflow-javascript are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

nocobase / plugin-workflow-javascript

2.0.0 2.0.1 2.0.2 2.0.3 2.0.4 2.0.5 2.0.6 2.0.7 2.0.8 2.0.9 2.0.10 2.0.11 2.0.12 2.0.13 2.0.14 2.0.15 2.0.16 2.0.17 2.0.18 2.0.19 2.0.20 2.0.21 2.0.22 2.0.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/357142 vuldb.com: https://vuldb.com/vuln/357142/cti vuldb.com: https://vuldb.com/submit/785881 github.com: https://github.com/Pai-777/ai-cve/blob/main/docs/cve-drafts/nocobase-workflow-javascript-sandbox-escape.en.md

Credits

🔍 Paaai (VulDB User) VulDB CNA Team