CVE-2026-28399
HIGHNocoDB < 0.301.3 - Authenticated SQL Injection via DATEADD Formula Unit Parameter
Title source: llmDescription
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nocodb/nocodb/security/advisories/GHSA-45rp-9p97-h852
Release Notes x_refsource_misc
https://github.com/nocodb/nocodb/releases/tag/0.301.3
Scores
CVSS v3
8.8
EPSS
0.0007
EPSS Percentile
22.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
nocodb/nocodb
< 0.301.3
npm/nocodb
0 - 0.301.3npm
Published
Mar 02, 2026
Tracked Since
Mar 03, 2026