News & Sicurezza

CVE ID :CVE-2026-56120 Published : June 23, 2026, 8:54 p.m. | 6 hours, 50 minutes ago Description :OpenRemote before 1.25.0 contains an insecure direct object reference (IDOR) vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms() method in AlarmResourceImpl.java omits realm-scoping validation in its JPA query, enabling any user with alarm-write permissions to enumerate sequential auto-increment alarm IDs and delete cross-tenant alarm records without authorization. Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-54513 Published : June 23, 2026, 8:53 p.m. | 6 hours, 50 minutes ago Description :jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-54514 Published : June 23, 2026, 8:51 p.m. | 6 hours, 52 minutes ago Description :jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-54515 Published : June 23, 2026, 8:50 p.m. | 6 hours, 53 minutes ago Description :jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map — restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-54516 Published : June 23, 2026, 8:48 p.m. | 6 hours, 55 minutes ago Description :jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector._renameProperties() allows a property with @JsonProperty("renamed") on the getter and @JsonIgnore on the setter to be renamed rather than dropped. With MapperFeature.INFER_PROPERTY_MUTATORS enabled (default), the private backing field is retained; during deserialization BeanDeserializerFactory.addBeanProps() sees hasField()==true, builds a FieldProperty, and makes the backing field writable. An attacker supplying the renamed JSON key writes the backing field directly, bypassing the @JsonIgnore on the setter. This vulnerability is fixed in 3.1.4. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-54517 Published : June 23, 2026, 8:47 p.m. | 6 hours, 57 minutes ago Description :jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer._deserializeUsingPropertyBased, the active-view (@JsonView) filter was applied only to creator properties; the regular property-buffering branch performed no prop.visibleInView(activeView) check. A change making SetterlessProperty.isMerging() return true routed setterless Collection/Map properties through this unguarded path, so a setterless collection annotated with a restricted @JsonView is populated from attacker JSON even when the active view excludes it. This vulnerability is fixed in 2.21.4 and 3.1.4. Severity: 5.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-46547 Published : June 23, 2026, 8:42 p.m. | 7 hours, 2 minutes ago Description :NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1. Severity: 6.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-46548 Published : June 23, 2026, 8:41 p.m. | 5 hours, 3 minutes ago Description :NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the request-filtering-agent SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because httpAgent / httpsAgent were passed as part of the request body rather than the axios config. An authenticated user with hook-creation permission could direct outbound POST requests to arbitrary internal hosts. This vulnerability is fixed in 2026.04.1. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-46549 Published : June 23, 2026, 8:40 p.m. | 5 hours, 3 minutes ago Description :NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1. Severity: 2.0 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-46550 Published : June 23, 2026, 8:39 p.m. | 5 hours, 4 minutes ago Description :NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint. This vulnerability is fixed in 2026.04.1. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-46552 Published : June 23, 2026, 8:38 p.m. | 3 hours, 5 minutes ago Description :NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (xc-shared-base-id), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the invite via the normal signup flow and retain authenticated access even after the owner revoked the shared link. Shared-base sessions were mapped to ProjectRoles.VIEWER in packages/nocodb/src/strategies/base-view.strategy/base-view.strategy.ts, and packages/nocodb/src/utils/acl.ts granted baseUserList and userInvite to that role. The shared frontend (packages/nc-gui/composables/useApi/interceptors.ts) deliberately removed auth headers in favour of the shared-base header, but the ACL middleware did not distinguish shared sessions from genuine viewers. This vulnerability is fixed in 2026.04.1. Severity: 5.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-46553 Published : June 23, 2026, 8:37 p.m. | 3 hours, 7 minutes ago Description :NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured per-file size limit. This vulnerability is fixed in 2026.04.1. Severity: 2.1 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...