Nocobase Plugin Sandbox Bypass: Remote Exploit Publicly Available

A critical security flaw, identified as CVE-2026-6224, has been uncovered in the nocobase plugin-workflow-javascript up to version 2.0.23. According to the National Vulnerability Database, this vulnerability stems from the createSafeConsole function within the Vm.js file, allowing for a sandbox escape. This isn’t just a theoretical bug; the National Vulnerability Database reports that a remote exploit is already in the wild, meaning attackers can weaponize this without needing physical access or extensive user interaction.

The implications of a sandbox escape are significant. It essentially means an attacker can break out of the intended secure environment and potentially execute arbitrary code on the underlying system. The National Vulnerability Database has assigned this a CVSS score of 7.3 (HIGH), underscoring the severity. The unfortunate kicker here is the vendor’s silence — the National Vulnerability Database noted that initial disclosure attempts went unanswered, leaving users exposed with no official patch in sight.

This is a classic case where a seemingly innocuous plugin can open up a world of pain. The National Vulnerability Database highlighted CWE-264 and CWE-265, both related to permissions, privileges, and access controls. When a vendor goes dark on a critical vulnerability, it puts the onus squarely on the users to be hyper-vigilant and consider mitigation strategies or, frankly, ditch the component until a fix is available.