Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package nodebb, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (14)
CVE-2023-26045 — CVSS 10.0 (critical): NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring…
CVE-2021-43786 — CVSS 9.8 (critical): Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step…
CVE-2022-46164 — CVSS 9.4 (critical): NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a…
CVE-2021-43787 — CVSS 9.0 (critical): Nodebb is an open source Node.js based forum software. In affected versions a prototype pollution vulnerability in the uploader module…
CVE-2022-36045 — CVSS 9.0 (critical): NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for…
CVE-2022-36076 — CVSS 8.8 (high): NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict…
CVE-2025-50979 — CVSS 8.6 (high): NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter…
CVE-2024-29316 — CVSS 6.3 (medium): NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Admin group…
CVE-2015-3296 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in NodeBB before 0.7 allow remote attackers to inject arbitrary web script or HTML via…
CVE-2021-43788 — CVSS 5.0 (medium): Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to…
CVE-2023-2850 — CVSS 4.7 (medium): NodeBB is affected by a Cross-Site WebSocket Hijacking vulnerability due to missing validation of the request origin. Exploitation of this…
CVE-2024-57041 — CVSS 4.6 (medium): A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me'…
CVE-2022-3978 — CVSS 4.3 (medium): A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file…