NocoBase sandbox escape to root RCE via console object prototype chain (CVE-2026-34156)
by Artem Safonov
A CVSS 10.0 sandbox escape in NocoBase's Workflow JavaScript node lets authenticated users reach root RCE through three lines of code. The console object leaks a host-realm Function constructor via prototype chain traversal. Patched in v2.0.28.
Read more →