CVE-2026-24767

Опубликовано: 28 янв. 2026

Источник: nvd

CVSS3: 4.9

CVSS3: 6.4

EPSS Низкий

Описание

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the uploadViaURL functionality due to an unprotected HEAD request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue.

Ссылки

https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
Exploit
Vendor Advisory
https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*

Версия до 0.301.0 (исключая)

EPSS

Процентиль: 1%

0.0001

Низкий

4.9 Medium

CVSS3

6.4 Medium

CVSS3

Дефекты

CWE-918

Связанные уязвимости

GHSA-xr7v-j379-34v9

CVSS3: 4.9

github

10 дней назад

NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality

EPSS

Процентиль: 1%

0.0001

Низкий

4.9 Medium

CVSS3

6.4 Medium

CVSS3

Дефекты

CWE-918