@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading
The queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. Affected component: @nocobase/database (core) Affected versions: <= …