Description
A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability lies in the createSafeConsole function of nocobase plugin-workflow-javascript, present in versions up to 2.0.23. An attacker can manipulate input to break out of the JavaScript sandbox, gaining the ability to execute arbitrary code on the host. This results in loss of confidentiality, integrity, and availability, essentially Remote Code Execution.

Affected Systems

The affected product is nocobase plugin-workflow-javascript, versions 0.x through 2.0.23 inclusive. Systems running these versions are vulnerable.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate to high severity. No EPSS score is available and the vulnerability is not listed in KEV. The exploit is publicly available and can be launched remotely, making the risk significant. Attackers can craft arbitrary payloads to escape the sandbox, potentially compromising the entire server environment.

Generated by OpenCVE AI on April 13, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor website for a patch or newer release that fixes the sandbox escape.
  • If a patch is not yet available, restrict network exposure of the affected service by applying firewall rules or network segmentation.
  • Monitor logs for abnormal JavaScript execution attempts and enforce least privilege for the application process.

Generated by OpenCVE AI on April 13, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocobase
Nocobase plugin-workflow-javascript
Vendors & Products Nocobase
Nocobase plugin-workflow-javascript

Mon, 13 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title nocobase plugin-workflow-javascript Vm.js createSafeConsole sandbox
Weaknesses CWE-264
CWE-265
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nocobase Plugin-workflow-javascript
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-14T16:28:30.809Z

Reserved: 2026-04-13T13:49:25.263Z

Link: CVE-2026-6224

cve-icon Vulnrichment

Updated: 2026-04-14T15:32:10.187Z

cve-icon NVD

Status : Received

Published: 2026-04-13T22:16:30.757

Modified: 2026-04-13T22:16:30.757

Link: CVE-2026-6224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:08Z

Weaknesses