6 matches found
CVE-2026-28399
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3...
GHSA-45RP-9P97-H852 NocoDB Vulnerable to SQL Injection via DATEADD Formula
Summary An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. Details The third argument unit of DATEADD was interpolated directly into knex.raw queries after only stripping quote characters. Validation in formulas.ts only checked Literal AST...
SQL Injection
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to SQL Injection via the DATEADD formula's unit parameter. An attacker with the Creator role can execute arbitrary SQL commands by supplying crafted input to this parameter. Remediation Upgrade nocodb to version 0.301.3 ...
CVE-2026-28399
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3...
CVE-2026-28399
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3...
EUVD-2026-9214
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3...