CVE-2026-6224
Sandbox Escape Vulnerability in nocobase plugin-workflow-javascript
Publication date: 2026-04-13
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocobase | plugin-workflow-javascript | to 2.0.23 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-265 | |
| CWE-264 | Permissions, Privileges, and Access Controls |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in the nocobase plugin-workflow-javascript up to version 2.0.23. It specifically affects the createSafeConsole function in the file Vm.js. The flaw causes a sandbox issue when manipulated, which means that an attacker can potentially escape or bypass the intended isolated environment.
The attack can be initiated remotely, and the exploit code has been publicly released, making it easier for attackers to use this vulnerability.
The vendor was informed early about this issue but did not respond.
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to manipulate the sandbox environment, potentially leading to unauthorized code execution or access to restricted resources.
Because the exploit is publicly available, the risk of exploitation is higher, which could result in data breaches, system compromise, or other security incidents.