CVE-2026-6224

Summary

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
nocobaseplugin-workflow-javascript2.0.0affected
nocobaseplugin-workflow-javascript2.0.1affected
nocobaseplugin-workflow-javascript2.0.2affected
nocobaseplugin-workflow-javascript2.0.3affected
nocobaseplugin-workflow-javascript2.0.4affected
nocobaseplugin-workflow-javascript2.0.5affected
nocobaseplugin-workflow-javascript2.0.6affected
nocobaseplugin-workflow-javascript2.0.7affected
nocobaseplugin-workflow-javascript2.0.8affected
nocobaseplugin-workflow-javascript2.0.9affected
nocobaseplugin-workflow-javascript2.0.10affected
nocobaseplugin-workflow-javascript2.0.11affected
nocobaseplugin-workflow-javascript2.0.12affected
nocobaseplugin-workflow-javascript2.0.13affected
nocobaseplugin-workflow-javascript2.0.14affected
nocobaseplugin-workflow-javascript2.0.15affected
nocobaseplugin-workflow-javascript2.0.16affected
nocobaseplugin-workflow-javascript2.0.17affected
nocobaseplugin-workflow-javascript2.0.18affected
nocobaseplugin-workflow-javascript2.0.19affected
nocobaseplugin-workflow-javascript2.0.20affected
nocobaseplugin-workflow-javascript2.0.21affected
nocobaseplugin-workflow-javascript2.0.22affected
nocobaseplugin-workflow-javascript2.0.23affected

Weaknesses

  • CWE-265: Sandbox Issue
  • CWE-264: Improper Access Controls

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References