{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6224", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-13T13:49:25.263Z", "datePublished": "2026-04-13T21:15:11.914Z", "dateUpdated": "2026-04-14T16:28:30.809Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T21:15:11.914Z"}, "title": "nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-265", "lang": "en", "description": "Sandbox Issue"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-264", "lang": "en", "description": "Improper Access Controls"}]}], "affected": [{"vendor": "nocobase", "product": "plugin-workflow-javascript", "versions": [{"version": "2.0.0", "status": "affected"}, {"version": "2.0.1", "status": "affected"}, {"version": "2.0.2", "status": "affected"}, {"version": "2.0.3", "status": "affected"}, {"version": "2.0.4", "status": "affected"}, {"version": "2.0.5", "status": "affected"}, {"version": "2.0.6", "status": "affected"}, {"version": "2.0.7", "status": "affected"}, {"version": "2.0.8", "status": "affected"}, {"version": "2.0.9", "status": "affected"}, {"version": "2.0.10", "status": "affected"}, {"version": "2.0.11", "status": "affected"}, {"version": "2.0.12", "status": "affected"}, {"version": "2.0.13", "status": "affected"}, {"version": "2.0.14", "status": "affected"}, {"version": "2.0.15", "status": "affected"}, {"version": "2.0.16", "status": "affected"}, {"version": "2.0.17", "status": "affected"}, {"version": "2.0.18", "status": "affected"}, {"version": "2.0.19", "status": "affected"}, {"version": "2.0.20", "status": "affected"}, {"version": "2.0.21", "status": "affected"}, {"version": "2.0.22", "status": "affected"}, {"version": "2.0.23", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-13T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-13T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-13T15:54:30.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Paaai (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/357142", "name": "VDB-357142 | nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357142/cti", "name": "VDB-357142 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785881", "name": "Submit #785881 | NocoBase 2.0.23 Sandbox Issue", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Pai-777/ai-cve/blob/main/docs/cve-drafts/nocobase-workflow-javascript-sandbox-escape.en.md", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:30:15.271468Z", "id": "CVE-2026-6224", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:28:30.809Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6224", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:30:15.271468Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:32:10.187Z"}}], "cna": {"title": "nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox", "credits": [{"lang": "en", "type": "reporter", "value": "Paaai (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "nocobase", "product": "plugin-workflow-javascript", "versions": [{"status": "affected", "version": "2.0.0"}, {"status": "affected", "version": "2.0.1"}, {"status": "affected", "version": "2.0.2"}, {"status": "affected", "version": "2.0.3"}, {"status": "affected", "version": "2.0.4"}, {"status": "affected", "version": "2.0.5"}, {"status": "affected", "version": "2.0.6"}, {"status": "affected", "version": "2.0.7"}, {"status": "affected", "version": "2.0.8"}, {"status": "affected", "version": "2.0.9"}, {"status": "affected", "version": "2.0.10"}, {"status": "affected", "version": "2.0.11"}, {"status": "affected", "version": "2.0.12"}, {"status": "affected", "version": "2.0.13"}, {"status": "affected", "version": "2.0.14"}, {"status": "affected", "version": "2.0.15"}, {"status": "affected", "version": "2.0.16"}, {"status": "affected", "version": "2.0.17"}, {"status": "affected", "version": "2.0.18"}, {"status": "affected", "version": "2.0.19"}, {"status": "affected", "version": "2.0.20"}, {"status": "affected", "version": "2.0.21"}, {"status": "affected", "version": "2.0.22"}, {"status": "affected", "version": "2.0.23"}]}], "timeline": [{"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-13T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-13T15:54:30.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/357142", "name": "VDB-357142 | nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357142/cti", "name": "VDB-357142 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785881", "name": "Submit #785881 | NocoBase 2.0.23 Sandbox Issue", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Pai-777/ai-cve/blob/main/docs/cve-drafts/nocobase-workflow-javascript-sandbox-escape.en.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-265", "description": "Sandbox Issue"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-264", "description": "Improper Access Controls"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T21:15:11.914Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6224", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:28:30.809Z", "dateReserved": "2026-04-13T13:49:25.263Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-13T21:15:11.914Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6224", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-13T22:16:30.757", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Pai-777/ai-cve/blob/main/docs/cve-drafts/nocobase-workflow-javascript-sandbox-escape.en.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785881"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357142"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357142/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}, {"lang": "en", "value": "CWE-265"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.14"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.17"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.18"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.19"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.21"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.22"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.0.23"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "plugin-workflow-javascript", "source": "cna", "vendor": "nocobase"}, "product": "plugin-workflow-javascript", "vendor": "nocobase"}], "analysis": {"en": {"generated_at": "2026-04-13T22:35:36.410125+00:00", "value": {"mitigation_remediation": ["Check the vendor website for a patch or newer release that fixes the sandbox escape.", "If a patch is not yet available, restrict network exposure of the affected service by applying firewall rules or network segmentation.", "Monitor logs for abnormal JavaScript execution attempts and enforce least privilege for the application process."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is nocobase plugin-workflow-javascript, versions 0.x through 2.0.23 inclusive. Systems running these versions are vulnerable.", "description_and_impact": "The vulnerability lies in the createSafeConsole function of nocobase plugin-workflow-javascript, present in versions up to 2.0.23. An attacker can manipulate input to break out of the JavaScript sandbox, gaining the ability to execute arbitrary code on the host. This results in loss of confidentiality, integrity, and availability, essentially Remote Code Execution.", "risk_and_exploitability": "The CVSS score is 6.9, indicating a moderate to high severity. No EPSS score is available and the vulnerability is not listed in KEV. The exploit is publicly available and can be launched remotely, making the risk significant. Attackers can craft arbitrary payloads to escape the sandbox, potentially compromising the entire server environment."}}}}, "created": "2026-04-14T16:18:00.933703+00:00", "updated": "2026-04-14T16:33:08.002205+00:00", "vendors": ["nocobase", "nocobase$PRODUCT$plugin-workflow-javascript"]}