CVE-2026-24767

Exploit

EPSS 0.01%
Veröffentlicht 28.01.2026 20:29:29
Zuletzt bearbeitet 04.02.2026 20:05:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nocodb ≫ Nocodb Version < 0.301.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.016

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
security-advisories@github.com	4.9	1.8	2.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-24767

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24767

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24767

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24767