chore(renovate): Security update Update dependency nocodb to v0.301.0 [SECURITY] by renovate[bot] · Pull Request #13058 · nocodb/nocodb

renovate · 2026-02-15T11:20:55Z

This PR contains the following updates:

Package	Change	Age	Confidence
nocodb	`0.264.8` → `0.301.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-24769

Summary

A stored Cross-site Scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment.

Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users.

Vulnerability Details

NocoDB allows file attachments to be previewed inline based on their MIME type. Due to overly permissive MIME type checks and a lack of content sanitization, SVG files containing executable JavaScript are incorrectly treated as safe image content and rendered directly in the browser.

Root Cause

The vulnerability results from a combination of overly permissive MIME type classification and unsafe file serving behavior.

1. Permissive MIME Type Check

In attachmentHelpers.ts, files are considered previewable if their MIME type contains certain substrings:

const previewableMimeTypes = ['image', 'pdf', 'video', 'audio'];

export const isPreviewAllowed = (args: { mimetype?: string } = {}) => {
  const { mimetype } = args;
  if (!mimetype) return false;
  return previewableMimeTypes.some((type) => mimetype.includes(type));
};

This substring-based check (includes) causes files with the MIME type image/svg+xml to be classified as safe for inline preview. However, SVG is an XML-based format that supports executable JavaScript via <script> elements, event handlers, and external references.

No additional validation or sanitization is performed on SVG content after this classification.

2. Unsafe Inline File Serving

Uploaded attachments are served by the fileReadv3 endpoint in attachments.controller.ts without sanitization or content-type enforcement:

@&#8203;Get('/dltemp/:param(*)')
async fileReadv3(@&#8203;Param('param') param: string, @&#8203;Res() res: Response) {
  // No authentication guard

  // Sets headers from query parameters
  res.setHeader('Content-Type', queryParams.contentType);
  res.setHeader('Content-Disposition', queryParams.contentDisposition);

  // Sends raw file content
  res.sendFile(file.path);
}

The endpoint:

Preserves the original Content-Type (image/svg+xml)
Uses Content-Disposition: inline
Sends the raw file contents unmodified

As a result, browsers render the SVG inline and execute any embedded JavaScript under the NocoDB application’s origin.

Impact

This is a stored XSS vulnerability that can be exploited by authenticated users with permission to upload attachments.

Potential impacts include:

Account takeover
Theft of session cookies or API tokens
Unauthorized actions performed on behalf of victims
Privilege escalation if higher-privileged users view the malicious attachment

Credit

This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

CVE-2026-24768

Summary

An unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the continueAfterSignIn parameter.

During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows at 10000 tackers to redirect authenticated users to arbitrary external websites after login.

Root Cause

The redirect logic relies on a permissive URL check that treats any absolute or protocol-relative URL as safe, and performs navigation without applying an allowlist or origin validation.

In the redirect plugin:

The helper function isFullUrl uses the following regular expression:
```
/^(https?:)?\/\//
```
This pattern matches any HTTP(S) URL as well as protocol-relative URLs (e.g., //evil.example), without restricting allowed domains.
When the continueAfterSignIn query parameter matches this pattern, the application performs an unconditional external navigation:
```
navigateTo(route.value.query.continueAfterSignIn as string, {
  external: isFullUrl(...)
})
```

Attack Scenario

An attacker can exploit this issue through a phishing attack:

The attacker crafts a malicious login URL containing a controlled redirect target, for example:

https://victim-nocodb.example/#/signin?continueAfterSignIn=https://evil-phishing.com/fake-login

The victim clicks the link and is presented with the legitimate NocoDB login page.
The victim authenticates using valid credentials.
After login, NocoDB automatically redirects the victim to the attacker-controlled external site.
The attacker’s site displays a fake error message and prompts the victim to re-enter credentials.
The victim unknowingly submits credentials to the attacker.

Impact

This vulnerability enables phishing attacks by leveraging user trust in the legitimate NocoDB login flow. While it does not directly expose credentials or bypass authentication, it increases the likelihood of credential theft through social engineering.

The issue does not allow arbitrary code execution or privilege escalation, but it undermines authentication integrity.

Credit

This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

CVE-2026-24767

Summary

A blind Server-Side Request Forgery (SSRF) vulnerability exists in the uploadViaURL functionality due to an unprotected HEAD request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation.

This allows limited outbound requests to arbitrary URLs before SSRF controls are applied.

Vulnerability Details

The uploadViaURL() function issues an axios.head() request to retrieve metadata (content type, content length, and final URL after redirects). This request is performed without SSRF filtering.

Although the actual file download is protected by request filtering, the initial HEAD request occurs prior to these checks and can be triggered with an attacker-controlled URL.

Vulnerable Code

if (!url.startsWith('data:')) {
  response = await axios.head(url, { maxRedirects: 5 });
  mimeType = response.headers['content-type']?.split(';')[0];
  size = response.headers['content-length'];
  finalUrl = response.request.res.responseUrl;
}

Impact

The impact of this issue is limited due to the following constraints:

Only HEAD requests are affected (no response body is returned)
No direct exfiltration of response data occurs
The subsequent file-fetching logic enforces SSRF protections

However, the vulnerability may still allow:

Blind SSRF via outbound HEAD requests
Limited internal service probing (reachability and response behavior)
Interaction with sensitive internal endpoints that respond to HEAD requests

This issue does not provide arbitrary data access or full internal network compromise on its own.

Severity

Moderate

The vulnerability is limited in scope and impact:

Only HEAD requests are affected
No response body or sensitive data is directly returned
The actual file download logic enforces SSRF protections

While the issue permits blind outbound requests to attacker-controlled URLs, it does not enable direct data exfiltration or full internal network compromise on its own.

Proof of Concept

curl -X POST 'http://localhost:8080/api/v2/storage/upload-by-url' \
  -H 'Content-Type: application/json' \
  -H 'xc-auth: <token>' \
  -d '[{
    "url": "http://169.254.169.254/latest/meta-data/",
    "fileName": "test.txt"
  }]'

This request causes the server to issue an unfiltered HEAD request before SSRF protections are applied.

Acknowledgements

This issue was first identified and responsibly disclosed by Faizan Raza of Kolega.dev as part of a security assessment using Kolega.dev Deep Code Scan, including validation and fix recommendations.

NocoDB also acknowledges Neel B for independently reporting the same issue prior to publication.

NocoDB thanks Kolega.dev for their contribution to improving the security posture of the project.

CVE-2026-24766

Summary

An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart.

While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.

Details

The deepMerge() function in packages/nocodb/src/utils/dataUtils.ts does not sanitize the following keys: (__proto__, constructor, prototype):

export const deepMerge = (target: any, ...sources: any[]) => {
  // ...
  Object.keys(source).forEach((key) => {
    if (isMergeableObject(source[key])) {
      if (!target[key]) target[key] = Array.isArray(source[key]) ? [] : {};
      deepMerge(target[key], source[key]);  // Recursively merges __proto__
    } else {
      target[key] = source[key];
    }
  });
  // ...
};

The testConnection endpoint (packages/nocodb/src/controllers/utils.controller.ts) passes user-controlled input directly to deepMerge():

config = await integration.getConfig();
deepMerge(config, body);

When an attacker sends {"__proto__": {"super": true}}, the super property is written to Object.prototype, affecting all plain objects in the Node.js process.

Impact

Pollutes Object.prototype globally, breaking all subsequent database write operations for all users until process restart.

Release Notes

nocodb/nocodb (nocodb)

`v0.301.0`: : Darkmode, Custom Webhook Payload & Groupby Aggregations

Compare Source

🌗 Dark Mode Is Here - Hooooooooooooray!!!!!!!!

Dark Mode has officially landed in NocoDB Community Edition. Sleeker, easier on the eyes, and built for long sessions—whether you’re shipping late at night or just love a modern dark UI. Every grid, form, and workflow now looks sharper and feels better, without changing how you work. Learn more

🔗 Webhook Payload Customisation ( 🔑 Unlocked from enterprise edition )

Total control, now unlocked. Webhook Custom Payloads are no longer Cloud-only—this powerful capability is now available in NocoDB Community Edition. Shape your webhook requests exactly the way your integrations need them. Cleaner payloads, smarter automations, and seamless connections with any external system. Learn more

📊 Grid View Group-by Aggregations ( 🔑 Unlocked from enterprise edition )

Data insights just leveled up. Group-by Aggregations are now open in NocoDB Community Edition, bringing Cloud-grade analytics straight into your views. Instantly roll up counts, totals, averages, and more—right inside grouped data. No exports. No extra tools. Just answers, instantly. Learn more

🛠️ Other Updates

Reordering filters was cumbersome: Filter conditions followed a fixed order, making complex logic harder to manage. Filters can now be reordered using drag-and-drop, giving you better control and faster iteration while building views.

Percent values lacked precision control: Percent fields were limited in how precisely values could be represented. Added precision support for Percent fields, allowing you to define decimal accuracy for cleaner calculations and clearer data presentation.

Default view was locked to Grid: Tables always opened in Grid view, even when another view was more relevant. You can now set any view as the default for a table, ensuring users land directly on the most meaningful view.
Commenters and viewers had full toolbar access: Limited-access roles were exposed to advanced actions. Commenter and Viewer roles now work in a simplified interface without toolbar access, keeping the experience focused, secure, and role-appropriate.

Addressed several bug fixes and improved security.

📢 License Update

TL;DR: If your use of NocoDB is not to offer a commercial service, nothing changes for you. Keep using it exactly as you do today. We're making this move so we can give you more and not less.

Starting with this release, NocoDB is transitioning its license from AGPL 3.0 to a Fair-code–based Sustainable Use License. This change is designed to protect the long-term sustainability of the project while keeping NocoDB open, transparent, and community-driven. The Fair-code model has resonated strongly across the open-source and no-code communities, with projects adopting this approach now collectively representing over 170,000+ GitHub stars : a signal that sustainable open-source business models are not just viable, but thriving. The new license continues to allow free use, modification, and self-hosting, while placing reasonable limits on commercial offerings.

👉 View the full license terms here

This step helps ensure that innovation in NocoDB is funded, maintained, and driven by the community for the long run.

⚠️ Breaking Change

Using base names and table names in API endpoints is no longer supported.
All API integrations must now use IDs instead of names.

Including names as part of API paths is highly discouraged, as names can be changed by other users, which may break existing integrations unexpectedly.

Before

http://localhost:8081/api/v1/db/data/noco/Getting%20Started/Table-1

After

http://localhost:8081/api/v1/db/data/noco/pjq0r488d4gt2xz/mtan85lkqcvf8i7

Bug fixes

[closed] 🔦 Feature: Dark mode enable button #12800
[closed] 请问可以手动编写SQL语句进行查询吗？ #12797
[closed] 🐛 Bug: Import table fails silently when there are emojis in "List Single Select" from Airtable #12794
[closed] 🐛 Bug: it doesn't allow me to export in .json format #12791
[closed] 🐛 Bug: Internal Error when converting Text column with Default Value to SingleSelect #12780
[closed] docs(i18n): add Turkish translation for README #12775
[closed] Inconsistent protocol in README for Auto-upstall script #12771
[closed] Need to update Holiday Schedule for 2026 #12763
[closed] 🐛 Bug: airtable import missing description #12761
[closed] 🐛 Bug: Webhook not containing all rows when copy & paste rows into a table. #12757
[closed] 🐛 Bug: "Internal Error" when converting Text column with Default Value to SingleSelect #12756
[closed] 🐛 Bug: Table copy problem #12738
[closed] 🔦 Feature: When filtering by creator in a custom view, add the currently logged in user. #12736
[closed] Is NocoDB affected by the exposed vulnerability in react? #12711
[closed] 🐛 Bug: Circular dependency between Formula and Rollup fields causes infinite recursion and OOM crash #12708
[closed] 🐛 Bug: Webhook only triggers for the first row when updating multiple rows via bulk paste, remaining rows do not trigger #12697
[closed] Bug: MCP Server generates non-functional configuration for self-hosted instances #12692
[closed] 🐛 Bug: Table called "bots" not shown #12684
[closed] The Importance of Dark Mode: A Data-Driven Perspective #12673
[🔎 Status: More Info Needed] 🐛 Bug: [Self Hosted] Calendar view displays events on the wrong date #12653
[closed] 🐛 Bug: extra settings for columns dissapeared #12652
[closed] 🐛 Bug: Missing Show More under SpecificDBType selection #12649
[closed] 🐛 Bug: The formula column content cannot be displayed on a new line. #12642
[closed] 🐛 Bug: [Self Hosted] MCP server setting page is blank #12631
[closed] 🐛 Bug: card view shared won't show attachment field #12628
[closed] uui #12618
[closed] 2440 argulite road Ashland kentucky 41139 #12617
[closed] Screenshot (Oct 31, 2025 11:10:58 AM) #12616
[closed] 🐛 Bug: Create Table button from the sidebar doesn't work in blank database #12604
[closed] 🐛 Bug: Build fails on \developbranch duringpnpm bootstrap`` #12586
[closed] 🐛 Bug: Text shifts incorrectly when inserting text in the middle of a sentence in Row Detail View #12582
[closed] 🐛 Bug: Deleting on a group by creates up to 100 empty lines #12575
[closed] 🐛 Bug: Barcode labels not displaying text underneath #12569
[closed] 为什么不支持多人实时协作呢 #12567
[Status: Not Reproducible] 🐛 Bug: API Next Url is returning always the previous query parameter #12566
[closed] 🔦 Feature: Display Selected Cell Count #12555
[closed] 🔦 Feature: when clicking on delete an attachment, no confirmation message on NOCODB #12536
[closed] 🔦 Feature: Allow external image urls for the gallery. #12528
[closed] 🔦 Feature: Chinese README is out of date #12524
[closed] Sar\runcscc_sort-source_1. 2.6=1.6.5.5.3_fdic=Dacnuisa.sync #12518
[closed] 🔦 Feature: New API Function "Upsert" #12509
[closed] 🐛 Bug: Update records fail with tables created using API #12508
[closed] 🐛 Bug: nc_audit_v2_old is not removed after migration #12506
[closed] 🔦 Feature: Chart and graph view for more digestible data analyzis #12494
[closed] 🔦 Feature: Refresh when new data arrives #12493
[closed] 🐛 Bug: Drag to Reorder Tables/Views Doesn't Work in Safari (Works in Firefox / Chromium) #12476
[closed] 🐛 Bug: Lock pre-filled fields as read-only does not lock a link-to-another-record field #12467
[👋 For : Community or Good First Issue] 🐛 Bug: Cursor jumps to the end when inserting Korean text in the middle of top-level form title #12421
[closed] 🔦 Feature: Drag-and-drop support for attachment fields in Grid and Gallery view #12166
[closed] 🐛 Bug: Today filter for Datetime works with the Browser Timezone but in the Database is UTC #11728
[closed] 🐛 Bug: Improve white space on mobile devices #11565
[closed] 🔦 Feature: Allow precision for Percentage column uidt #11251
[closed] 🔦 Feature: Return list of linked field IDs as value in calls to API "Read Table Record" #11154
[closed] 🔦 Feature: Define order of Data in Link Previews #11027
[closed] 🔦 Enhancement : Formula field needs a precision settings. #10887

`v0.300.0`

Compare Source

`v0.265.1`: : Bug Fix Release

Compare Source

🐛 Closed Issues

[closed] 🐛 Bug: [Self hosted] Super Admin Access Lost after initial setup #12450
[👋 For : Community or Good First Issue] 🐛 Bug: JSON_EXTRACT in formula with a special character fails #12377
[👋 For : Community or Good First Issue] 🔦 Feature: Test E-mail / Storage configuration automatically after pressing Save #11751

What's Changed

feat: auto-test-config by @hemantmm in #12386
fix: update link to Commit Message Convention in CONTRIBUTING.md by @cr4ck-j4ck in #12436
fix: Test webhook fails when on form submission is configured by @DarkPhoenix2704 in #12432
New Crowdin updates by @o1lab in #12439
fix: URL where query filter not working in Calendar, Gallery, kanban view by @rameshmane7218 in #12447

New Contributors

@hemantmm made their first contribution in #12386
@cr4ck-j4ck made their first contribution in #12436

Full Changelog: 0.265.0...0.265.1

`v0.265.0`: : Introducing MCP Server

Compare Source

🚀 NocoDB : Feature Release

MCP Server – Talk to your database through AI

No more endless clicks or filters. With MCP Server, your NocoDB workspace connects directly to AI-powered tools like Claude, Cursor, and Windsurf. Just ask in plain language, and your database answers back.

What’s Changed?

💬 Conversational queries – Ask questions like “Show me all customers who haven’t paid in 30 days” and get instant results.
📊 Instant insights & analysis – Pull reports, trends, and summaries without setting up filters or views.
⚡ Bulk operations – Run updates across many records in one go—no manual UI work.
🧹 Smart cleanup – Quickly find duplicates and inconsistencies with a single request.
🖥️ Seamless desktop integration – Works with Claude Desktop, Cursor, and Windsurf (desktop only).

This is just the beginning—MCP opens the door for even deeper AI + database workflows coming soon.

👉 Get started with MCP integration →

Other Updates

Only IDs based view URLs made it hard to navigate to them in browser: Your browser remembers full URLs for frequently visited tables and views, but the URLs only contained cryptic IDs instead of readable names. Now all view URLs include the table and view name, making it easy to type top leads in your browser to quickly navigate to views containing "top leads" in the table or column name.

Before: https://app.nocodb.com/#/wqb1x/pab8e/mozv1/vwlks5i/

After: https://app.nocodb.com/#/wqb1x/pab8e/mozv1/vwlks5i/product-roadmap

File uploads needed a lot clicks: Adding attachments required multiple clicks and navigation steps. Now attachments can be dragged and dropped directly into attachment cells, making file uploads faster and more intuitive.
Group states would reset when switching views: Previously expanded groups would automatically collapse when you switched between views, forcing you to re-expand them repeatedly. Now group state (expanded/collapsed) is maintained locally per view, preserving your organization preferences.
No easy way to copy Base IDs for API usage: Developers needed Base IDs for API integration but had no quick way to access them. Added Base ID copy functionality to the base menu, following the same pattern as table, view, and field ID copying—providing quick access for API usage.
Mobile view editor was difficult to use: Mobile operations in form view has been improved, ensuring a better usage experience across all devices.
German users couldn't use local date formats: The system didn't support standard German date conventions. Added German Date Format Support for DD.MM.YYYY and DD.MM.YY, enabling proper display and input of dates in local conventions.
DATEADD formula was limited to days only: Time-based calculations requiring hours, minutes, or seconds weren't possible. Enhanced DATEADD formula now supports adding hours, minutes, and seconds, enabling more precise date-time calculations.

🐛 Closed Issues

[closed] 🐛 Bug: Webhook doesn't send custom headers #12408
[🔎 Status: More Info Needed] 🐛 Bug: Editing single-select issue. Remove an existing single-select value and add it back. Results in the removal of that value from records/ #12402
[closed] 🐛 Bug: Copy pasting from excel leads to an error mention bulkDataUpsert is not possible for editor #12400
[closed] 🐛 Bug: Improvise tooltip for links in ERD #12398
[closed] 🐛 Bug: The default Table grid view does not display paging at the bottom #12389
[closed] 🐛 Bug: Missing "Show more" option for database column parameters #12387
[closed] 🐛 Bug: Horizontal scroll not working when vertical scroll is at the top or bottom of the table #12370
[🔎 Status: More Info Needed] 🐛 Bug: [self-hosted] The latest version update prevents importing external data. #12368
[closed] 🐛 Bug: Clicking close icon in expanded record in edit state - should not result in losing the changes made #12366
[Status: Reproducible] 🐛 Bug: [self-hosted] Can't upgrade Webhook to v3 #12364
[closed] 🐛 Bug: [self-hosted] : Preview of Pictures are not shown anymore #12342
[closed] 🔦 Feature: Ability to duplicate filter or filter groups #12073
[closed] 🔦 Feature: Soft wrap in JSON modal view #11984
[closed] 🐛 Bug: Database error when using where on lookup field from linked table. #11900
[closed] 🔦 Feature: Expand all for group by view and persisting the opened groups #11435
[closed] 🔦 Feature: Deselect Specific Records After "SELECT ALL" #10590

What's Changed

New Crowdin updates by @o1lab in #12359
chore: post-release sync by @github-actions[bot] in #12358
New Crowdin updates by @o1lab in #12367
fix: on click close icon of expanded form show warning if unsaved changes present by @rameshmane7218 in #12369
Nc fix/sentry errors 22 sep by @pranavxc in #12353
Nc docs/link to where clause by @dstala in #12372
Nc fix/links transaction related bug by @pranavxc in #12376
Fix: Bug fixes 22 sep by @rameshmane7218 in #12362
fix: show system col in expanded form if it is enabled from fields menu by @rameshmane7218 in #12360
New Crowdin updates by @o1lab in #12371
fix: Can't upgrade Webhook to v3 by @rameshmane7218 in #12380
fix: enable support for all users by @rameshmane7218 in #12382
feat: Persist grid cell clipboard data in local storage for reliable paste behavior by @rameshmane7218 in #12349
Feat: Responsive UI phase 2 by @rameshmane7218 in #12374
fix: revise resource cleanup by @rameshmane7218 in #12388
New Crowdin updates by @o1lab in #12378
fix: Bug fixes 25 sep by @rameshmane7218 in #12384
Fix: Auto scroll issue while reorder by @rameshmane7218 in #12392
Nc feat/view webhook by @dstala in #12279
fix: missing permission in ACL by @pranavxc in #12401
New Crowdin updates by @o1lab in #12394
fix(nc-gui): Improvise tooltip for links in ERD by @dstala in #12399
Feat: canvas attachment cell drop support by @rameshmane7218 in #12395
Nc fix/group by by @dstala in #12405
fix: avoid removing option if option removed and and added as a new o… by @dstala in #12404
Revert "fix: Group by - proper handling of blank values" by @pranavxc in #12410
fix: removeNullUnicode when JSON_EXTRACT by @DarkPhoenix2704 in #12391
fix: data bulk operation audit corrections by @dstala in #12413
Nc fix/column update filter by @dstala in #12196
fix: persist opened group info locally by @rameshmane7218 in #12414
Nc fix/sentry errors 29 sep by @rameshmane7218 in #12412
feat: enable normal mcp by @dstala in #12407
fix: prevent table highlight from affecting child views in sidebar by @rameshmane7218 in #12416
feat: add baseId copy feature to base menu by @rameshmane7218 in #12417
New Crowdin updates by @o1lab in #12409
fix: decode key in r2 by @DarkPhoenix2704 in #12406
fix: swagger notes updated by @dstala in #12363
fix(i18n): Add deleted keys from en.json file by @rameshmane7218 in #12419
New Crowdin updates by @o1lab in #12420
Nc fix/attachment url improvement by @dstala in #12251
Nc feat/field webhook by @dstala in #12415
New Crowdin updates by @o1lab in #12424
fix: remove only on table.test by @fendy3002 in #12426
fix: webhook error by @dstala in #12428
fix: cleanup dashboard when base is deleted by @DarkPhoenix2704 in #12423
Feature: Deselect Specific Records After SELECT ALL by @rameshmane7218 in #12425

Full Changelog: 0.264.9...0.265.0

`v0.264.9`: : Bug Fix Release

Compare Source

🐛 Closed Issues

[closed] 🐛 Bug: revision history shows none, or most recent entries only #12352
[closed] Disk space is not freed up after deleting files from Noko #12341
[closed] 🔦 Feature: Button Field Opens URL in Modal (Centered on Screen) #12340
[closed] 🐛 Bug: Unable to Delete or Modify Single Select Column in NocoDB Plus Edition (NocoDB Cloud) #12332
[closed] 🐛 Bug: No public access to the form view #12325
[closed] 🐛 Bug: API Filter V2 bug with WHERE filter #12319
[closed] 🔦 Feature: Use Table+ViewName as slug in active view URL, move detailsTab to query param #12315
[closed] 🐛 Bug: Invalid input syntax for boolean when adding Postgres source in NocoDB #12203
[closed] 🐛 Bug: Bulk deletion issue persists after update #12199
[closed] 🐛 Bug: Download URL not working due to double // #12110
[🐹 DB : SQLite][Scope: Open Source] 🐛 Bug: docker cant modify the database file of sqlite #12069
[closed] File import size limit is hardcoded #12042
[closed] 🐛 Bug: TypeError: Invalid URL on NocoDB startup (Docker - Persistent Issue) #12023
[closed] 🐛 Bug: [self-hosted] : 'SQLITE_ERROR: too many terms in compound SELECT' when upgrading to latest release #11993
[closed] 🐛 Bug: Request to Adjust File Upload Limits (Count & Size) for S3 Attachments #11944
[closed] 🐛 Bug: Swagger is not picking up float, currency - they are string in spec #11843
[closed] 🐛 Bug: attachment files remain in uploads folder after deleted #11783
[closed] Minio certificate issue #11690
[closed] 🐛 Bug: ERROR [GlobalExceptionFilter] File too large #11345
[closed] 🐛 Bug: The database views and table metadata use two decimal places, but when imported into a spreadsheet, only one decimal place is displayed. However, the API response shows two decimal places upon checking. #11320
[closed] 🐛 Bug: Form View: Large attachments cause 400 Bad Request due to JSON body size on mobile #11247
[closed] 🐛 Bug: When running docker, the modified interface does not take effect #11142
[Status: Reproducible] 🐛 Bug: (security / medium to severe) No Access workspace role does not remove access to workspace databases when applied to an original db creator #11103
[closed] 🐛 Bug: Database connection #11051
[closed] 🐛 Bug: If NC_DB has searchPath specified for Supabase - error: CREATE SCHEMA IF NOT EXISTS "n" AUTHORIZATION #11036
[closed] 🐛 Bug: data openapi.json spec at docs site is invalid #11005
[closed] 🐛 Bug: Can't connect Backblaze B2 bucket #10942
[closed] 🐛 Bug: Discussion mode empty screen needs work #10891
[closed] 🐛 Bug: Expand All in Group View is gone with update #10817
[Status: Reproducible] 🐛 Bug: Lookups do not appear in links list #10605
[closed] 🔦 Feature: Remove file upload size limit from frontend to support big files #10596
[closed] 🐛 Bug: Type of column 'User' shows everyone in the team, not just the ones that have access to that database #10449
[closed] 🐛 Bug: When opting for Required field in the form view, Not Null is not set by default for the column in the DB. #10154
[closed] 🐛 Bug: Postgres listen/notify breaks NocoDB #10131
[✨ Type: Enhancement] 🐛 Bug: Expanded state for table views "group by" groups not saved and restored #10071
[🐛 Type: Bug] 🐛 Bug: Issue with NocoDB Installation - "Table 'nc_projects' already exists" Error #9905
[🐛 Type: Bug] 🐛 Bug: one to one relation with a view don't list records when custom id PK #9691
[🐛 Type: Bug] 🐛 Bug: Issue with SMTP configuration #9556
[🐛 Type: Bug] 🐛 Bug: can't view attachments in Gallery view if the field is selected as cover image #9550
[🐛 Type: Bug] 🐛 Bug: I put Kanban as iframe but i can't edit it and meet error when i click the chr #9515
[🐛 Type: Bug] 🐛 Bug: Array based formula support over lookup fields #9470
[🔦 Type: Feature] 🔦 Feature: Change base icon to emoji (like table icons) #9436
[closed] 🐛 Bug: Undefined binding(s) detected when compiling SELECT when Link Records using API #8810
[closed] 🐛 Bug: Cannot connect to legacy MySQL #8776
[closed] 🐛 Bug: Editing tables with constraints in remote databases leads to data loss #8726
[Status: Reproducible] 🐛 Bug: Failed to load list: Something went wrong #8630
[closed] 🔦 Feature: Allow to use SSL parameters in NC_DB (MySQL / PostgreSQL) #8554
[closed] 🐛 Bug: Nocodb api.dbTableRow does not use URL Encode "/"s #8465
[⛵ Type: AT Import] 🐛 Bug: TypeError: Cannot read properties of undefined (reading 'getChildColumn' #7615
[closed] 🐛 Bug: Rest Api recordId ist not primary key #7553
[closed] 🐛 Bug: ExternalDB: Cannot Bulk Update (timestamp as primary key) #6109
[closed] 🐛 Bug: UPDATE on distributed key column not allowed on relation with update triggers #6016
[closed] 🐛 Bug: Nocodb fails to start when run in non root container #5982
[closed] Dependency Dashboard #5826
[👋 For : Community or Good First Issue] 🐛 Bug: Persian proper font is not shown sometimes #5212

What's Changed

fix: Executable build issue by @pranavxc in #12339
Nc Fix: shared view page not found page content render issue by @rameshmane7218 in #12338
🔦 Feature: Use Table+ViewName as slug in active view URL by @rameshmane7218 in #12320
Fix: RangeError - Invalid time zone specified: Etc/Unknown by @rameshmane7218 in #12345
add hour minute second to dateadd by @fendy3002 in #12298
Nc fix/api v3 bugs by @pranavxc in #12351
🔦 Feature: Allow toggle form view side panel by @rameshmane7218 in #12334
fix: missing prop by @mertmit in #12284
fix(audit-migration): Adjust batch size for SQLite compatibility by @pranavxc in #12350
New Crowdin updates by @o1lab in #12246
i18n - lang file sync by @pranavxc in #12354
docs(swaggerV2): fix typo in example JSON key casing by @tanapok in #12348

New Contributors

@tanapok made their first contribution in #12348

Full Changelog: 0.264.8...0.264.9

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

… [SECURITY]

renovate bot added the renovate label Feb 15, 2026

chore(renovate): Security update Update dependency nocodb to v0.301.0…

4ac0811

… [SECURITY]

renovate bot force-pushed the renovate/npm-nocodb-vulnerability branch from 62109a9 to 4ac0811 Compare February 22, 2026 13:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(renovate): Security update Update dependency nocodb to v0.301.0 [SECURITY]#13058

chore(renovate): Security update Update dependency nocodb to v0.301.0 [SECURITY]#13058
renovate[bot] wants to merge 1 commit intodevelopfrom
renovate/npm-nocodb-vulnerability

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

GitHub Vulnerability Alerts

CVE-2026-24769

Summary

Vulnerability Details

Root Cause

1. Permissive MIME Type Check

2. Unsafe Inline File Serving

Impact

Credit

CVE-2026-24768

Summary

Root Cause

Attack Scenario

Impact

Credit

CVE-2026-24767

Summary

Vulnerability Details

Vulnerable Code

Impact

Severity

Proof of Concept

Acknowledgements

CVE-2026-24766

Summary

Details

Impact

Release Notes

v0.301.0: : Darkmode, Custom Webhook Payload & Groupby Aggregations

🌗 Dark Mode Is Here - Hooooooooooooray!!!!!!!!

🔗 Webhook Payload Customisation ( 🔑 Unlocked from enterprise edition )

📊 Grid View Group-by Aggregations ( 🔑 Unlocked from enterprise edition )

🛠️ Other Updates

📢 License Update

⚠️ Breaking Change

Before

After

Bug fixes

v0.300.0

v0.265.1: : Bug Fix Release

🐛 Closed Issues

What's Changed

New Contributors

v0.265.0: : Introducing MCP Server

🚀 NocoDB : Feature Release

MCP Server – Talk to your database through AI

Other Updates

🐛 Closed Issues

What's Changed

v0.264.9: : Bug Fix Release

🐛 Closed Issues

What's Changed

New Contributors

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

`v0.301.0`: : Darkmode, Custom Webhook Payload & Groupby Aggregations

`v0.300.0`

`v0.265.1`: : Bug Fix Release

`v0.265.0`: : Introducing MCP Server

`v0.264.9`: : Bug Fix Release