nocodb
nocodb: Shared-view relation endpoints now enforce column visibility check
Public shared-view relation endpoints (`publicMmList`, `publicHmList`, `relDataList`) now verify that the requested column's `show
NocoDB: Reflected XSS in password-reset page via unescaped URL token
The password-reset page in NocoDB had a reflected XSS vulnerability where the URL token was embedded directly into a JavaScript st
NocoDB hashRedirect plugin rejects protocol-relative URLs to fix open redirect
The client-side hashRedirect plugin now rejects protocol-relative URLs (starting with //) to prevent open redirect attacks.
NocoDB: Public shared-view endpoints no longer expose hidden column values
Public shared-view endpoints no longer expose hidden column values.
NocoDB: Timing-safe password verification for shared views
The shared-view password check in View.
NocoDB: Fixed timing-based email enumeration in sign-in endpoint
The unknown-user branch in auth.
nocodb: testConnection endpoint now scopes integration access to workspace
The `testConnection` endpoint previously fetched integrations in a bypass scope and only checked that the integration was non-priv
nocodb: SSRF protection via validateDbConnectionHost helper
Added a `validateDbConnectionHost` helper that resolves hostnames, parses addresses with ipaddr.
NocoDB SQL Injection via Column Title in Bulk GroupBy Endpoint
An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a
NocoDB OAuth PKCE race condition fix
Fixed a race condition in OAuth token exchange where two concurrent requests using the same authorization code could each mint a d
nocodb MCP readAttachment tool now enforces file ownership check
The MCP `readAttachment` tool now verifies file ownership by looking up the path in `nc_file_references` and checking that the `ba
NocoDB OAuth tokens no longer persist after password change
OAuth access and refresh tokens are now revoked when a user changes, resets, or recovers their password.
NocoDB Stored XSS in Row Comments via Unsanitized HTML and Tippy allowHTML
Stored XSS vulnerability in row comments: HTML stored without server-side sanitization, and Tippy tooltip with allowHTML: true exe
NocoDB Shared Form XSS via redirect_url
The shared form-view submit handler writes the form's `redirect_url` to `window.