What is CVE-2026-41641?

CVE-2026-41641 is a high-severity vulnerability in Nocobase, classified under SQL Injection. CVSS score: 7.2/10. Published 2026-05-07.

How severe is CVE-2026-41641?

High severity. CVSS v3 base score is 7.2 out of 10.

SQL Injection in Nocobase

CVE-2026-41641

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE…

Vulnerability class: SQL Injection

EPSS: 0.002 (41.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Nocobase — versions < 2.0.39

Weakness classification (CWE)

References

https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh (x_refsource_CONFIRM, Exploit, Mitigation, Vendor Advisory)
https://github.com/nocobase/nocobase/pull/9134 (Patch, x_refsource_MISC, Issue Tracking)
https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91 (Patch, x_refsource_MISC)
https://github.com/nocobase/nocobase/releases/tag/v2.0.39 (Product, Patch, x_refsource_MISC)

Frequently asked questions

What is CVE-2026-41641?: CVE-2026-41641 is a high-severity vulnerability in Nocobase, classified under SQL Injection. CVSS score: 7.2/10. Published 2026-05-07.
How severe is CVE-2026-41641?: High severity. CVSS v3 base score is 7.2 out of 10.