8.6
CVE-2026-28286 - ZimaOS: Unauthorized Creation of Files/Folders in Restricted System Directories via API
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the β¦
5.3
CVE-2026-28401 - NocoDB: Stored Cross-Site Scripting via Rich Text Cells
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3.
6.2
CVE-2026-28399 - NocoDB: SQL Injection via DATEADD Formula
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.
5.3
CVE-2026-28398 - NocoDB: Stored Cross-Site Scripting via Comments and Rich Text Cells
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3.
5.3
CVE-2026-28397 - NocoDB: Stored Cross-Site Scripting via Comments
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3.
4.9
CVE-2026-28396 - NocoDB: Refresh Tokens Not Revoked on Password Reset
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has beenβ¦
4.9
CVE-2026-28361 - NocoDB: Missing Ownership Validation in MCP Token Operations
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in verβ¦
2.7
CVE-2026-28360 - NocoDB: Plaintext Storage of Shared View Passwords
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
5.3
CVE-2026-28359 - NocoDB: Stored Cross-Site Scripting via Rich Text Field
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3.
2.7
CVE-2026-28358 - NocoDB: User Enumeration via Password Reset Endpoint
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.