Product
nodebb
20 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-50979
CVE-2025-29513
CVE-2025-29512
CVE-2024-57041
CVE-2024-29316
CVE-2023-30591
CVE-2023-43187
CVE-2023-2850
CVE-2023-26045
CVE-2022-46164
CVE-2022-3978
CVE-2022-36076
CVE-2022-36045
CVE-2021-43788
CVE-2021-43787
CVE-2021-43786
CVE-2020-15156
CVE-2020-15149
CVE-2015-9286
CVE-2015-3296
all versions
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query p
<= 4.0.4
Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin
<= 4.0.4
Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potential
all versions
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'ab
all versions
NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Adm
<= 2.8.10
Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking
eventName.startsWith()< 1.18.6
A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows
< 2.8.13
NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation
>= 2.5.0 and < 2.8.7
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destruc
< 2.6.1
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message hand
< 2.5.8
A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /r
< 1.17.2
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily
< 1.19.8
NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets
>= 1.0.4 and <= 1.18.4
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed u
>= 1.15.5 and <= 1.18.4
Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader mo
>= 1.15.0 and <= 1.18.4
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step
< 0.7.0
In nodebb-plugin-blog-comments before version 0.7.0, a logged in user is vulnerable to an XSS attack which could allow a third par
>= 1.12.2 and < 1.14.3
NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the p
< 0.7.3
Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.
<= 0.6.1
Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or