CVE-2026-47385

MEDIUMPre-NVD 5.35.3Trending — 3 sources updated this week

5.3

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to fs.exists and fs.open('w') without restricting the location. A user could point a source at noco.db, at a tenant database under nc_minimal_dbs/, or at any writable path the NocoDB process can reach, and then read or overwrite its contents through the regular table APIs.This vulnerability is fixed in 2026.05.1.

CVSS v3: 5.3
EG Score: 5.3(low)
EPSS: 24.0%
KEV: Not listed

Published

June 5, 2026

Last Modified

June 24, 2026

References (1)

security-advisories@githubhttps://github.com/nocodb/nocodb/security/advisories/GHSA-wvqj-9wv4-7ff5

Vendor Advisories for CVE-2026-47385(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-wvqj-9wv4-7ff5
GitHub Security AdvisoriesMedium
NocoDB: Path Traversal via SQLite Source Filename

Affected Packages

(1 across 1 ecosystem)

npm(1)

Package	Vulnerable range	Fixed in	Dependents
nocodb	—	2026.05.1	—

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

CWE-22Path Traversal

Data Freshness Timeline

(refreshed 3× in last 7d / 8× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

2026-06-24 14:05 UTCEPSS rescore
2026-06-24 12:04 UTCEG score recompute▲ 5.30
2026-06-24 12:01 UTCNVD updateCVSS v3 → 5.3 · CVSS v4 → 5.3
2026-06-14 23:18 UTCEPSS rescore
2026-06-14 22:25 UTCEG score recompute
2026-06-13 23:00 UTCEPSS rescore
2026-06-12 23:12 UTCEPSS rescore
2026-06-05 16:57 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47385?

CVE-2026-47385 is a medium vulnerability published on June 5, 2026. NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration create…

When was CVE-2026-47385 disclosed?

CVE-2026-47385 was first published in the National Vulnerability Database on June 5, 2026, with the most recent update on June 24, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2026-47385 actively exploited?

CVE-2026-47385 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 24.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2026-47385?

CVE-2026-47385 has a CVSS v3 base score of 5.3 (NVD). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-47385?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47385, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47385

Explore →

Is Your Infrastructure Affected by CVE-2026-47385?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-47385

📅 Published

🔄 Last Modified

🔗 References (1)

📣 Vendor Advisories for CVE-2026-47385(1)