Latest NocoBase news

88 new CVEs on March 31 include a CVSS 10.0 NocoBase sandbox escape to root RCE, a WordPress Everest Forms Pro RCE, five baserCMS command injections, and SQL injections in Umami and SciTokens. Eleven vulnerabilities scored 9.0 or above.

A CVSS 10.0 sandbox escape in NocoBase's Workflow JavaScript node lets authenticated users reach root RCE through three lines of code. The console object leaks a host-realm Function constructor via prototype chain traversal. Patched in v2.0.28.