CVE-2026-34156CRITICAL 9.9EPSS p93.8%

CVE-2026-34156CVE-2026-34156

Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS7.59% probability of exploitation · percentile 93.8% · 2026-06-18T12:00:27Z
Published2026-03-31
Last modified2026-04-07

Underlying weaknesses· 1

CWE-913

References

  1. https://github.com/nocobase/nocobase/pull/8967
  2. https://github.com/nocobase/nocobase/releases/tag/v2.0.28
  3. https://github.com/nocobase/nocobase/security/advisories/GHSA-px3p-vgh9-m57c

1

TypeTargetConfidenceTier
WeaknessImproper Control of Dynamically-Managed Code Resourcescwe-9130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41640
CVE
CVE-2026-35216
CVE
CVE-2026-1470
CVE
CVE-2026-27494
CVE
CVE-2026-25115
CVE
CVE-2026-26956
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.