NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Nocobase
Nocobase nocobase |
|
| Vendors & Products |
Nocobase
Nocobase nocobase |
Wed, 15 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to 2.0.61, NocoBase @nocobase/plugin-notification-in-app-message exposed GET /api/myInAppChannels:list, where the filter[latestMsgReceiveTimestamp][$lt] value was inserted into a Sequelize.literal() template string without escaping or parameter binding, allowing a signed-up authenticated user to run stacked PostgreSQL statements and potentially execute commands with COPY ... TO PROGRAM. This vulnerability is fixed in 2.0.61. | |
| Title | NocoBase: SQL injection in /api/myInAppChannels:list filter to PG-superuser RCE | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T20:16:43.023Z
Reserved: 2026-06-08T21:44:27.365Z
Link: CVE-2026-52887
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T23:30:04Z