CVE-2026-41640HIGH 8.8EPSS p76.7%

CVE-2026-41640CVE-2026-41640

Description

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS1.88% probability of exploitation · percentile 76.7% · 2026-06-19T12:03:05Z
Published2026-05-07
Last modified2026-05-12

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604
  2. https://github.com/nocobase/nocobase/pull/9133
  3. https://github.com/nocobase/nocobase/releases/tag/v2.0.39
  4. https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432
  5. https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34156
CVE
CVE-2026-28399
CVE
CVE-2026-24769
CVE
CVE-2026-30860
CVE
CVE-2025-40656
CVE
CVE-2018-25431
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.