Arbitrary Command Execution Vulnerability in NocoBase by NocoBase
CVE-2026-55410
6.7MEDIUM
What is CVE-2026-55410?
The NocoBase platform, designed for developing business applications with no-code/low-code methods, was found to have a serious vulnerability in its backup restoration process. Before version 2.1.19, the @nocobase/plugin-backups component improperly handled PostgreSQL backup restoration. By using crafted backups, a backup-management user could exploit this issue to execute arbitrary commands within the NocoBase server context through improperly interpolated values in shell command strings. This vulnerability has been addressed in the release of version 2.1.19.
Affected Version(s)
nocobase < 2.1.19
