CVE-2026-6224
Received Received - Intake

Sandbox Escape Vulnerability in nocobase plugin-workflow-javascript

Vulnerability report for CVE-2026-6224, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-13

Last updated on: 2026-04-29

Assigner: VulDB

Description

A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-13
Last Modified
2026-04-29
Generated
2026-07-06
AI Q&A
2026-04-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocobase plugin-workflow-javascript to 2.0.23 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-265
CWE-264 Permissions, Privileges, and Access Controls

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw found in the nocobase plugin-workflow-javascript up to version 2.0.23. It specifically affects the createSafeConsole function in the file Vm.js. The flaw causes a sandbox issue when manipulated, which means that an attacker can potentially escape or bypass the intended isolated environment.

The attack can be initiated remotely, and the exploit code has been publicly released, making it easier for attackers to use this vulnerability.

The vendor was informed early about this issue but did not respond.

Impact Analysis

This vulnerability can allow remote attackers to manipulate the sandbox environment, potentially leading to unauthorized code execution or access to restricted resources.

Because the exploit is publicly available, the risk of exploitation is higher, which could result in data breaches, system compromise, or other security incidents.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart