Lucene search
K

4 matches found

CVE
CVE
added 2026/06/23 8:15 p.m.23 views

CVE-2026-47384

CVE-2026-47384 – NocoDB SQL Injection via Column Title in Bulk GroupBy : An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column title to a SQL fragment. The vulnerable code path builds three database-specific knex.raw() aggregations t...

5.3CVSS5.9AI score0.00306EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 8:15 p.m.29 views

CVE-2026-47384 NocoDB: SQL Injection via Column Title in Bulk GroupBy

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupBy path in group-by.ts builds three database-specific...

5.3CVSS0.00306EPSS
Exploits0References1
OSV
OSV
added 2026/06/05 4:19 p.m.7 views

GHSA-P8WX-5F39-W3X4 NocoDB: SQL Injection via Column Title in Bulk GroupBy

Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. Details The bulk groupBy path in group-by.ts builds three database-specific knex.raw aggregations that interpolate the request's columnname...

5.3CVSS5.6AI score0.00306EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/05 4:19 p.m.19 views

NocoDB: SQL Injection via Column Title in Bulk GroupBy

Summary An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. Details The bulk groupBy path in group-by.ts builds three database-specific knex.raw aggregations that interpolate the request's columnname...

5.3CVSS5.6AI score0.00306EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder