PT-2026-60300 · Nocobase · Nocobase

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-55410

CVSS v3.1

6.7

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Name of the Vulnerable Software and Affected Versions NocoBase versions prior to 2.1.19
Description In the @nocobase/plugin-backups component, the application restores PostgreSQL backups by interpolating the database.schema value from the metadata.json file into shell command strings. These strings are executed using the Node.js child process.exec() function. A user with backup-management privileges can exploit this by restoring a specially crafted backup to execute arbitrary commands with the privileges of the NocoBase server process.
Recommendations Update to version 2.1.19.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55410

Affected Products

Nocobase