CVE-2026-28399

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28399

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28399.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28399

Aliases

GHSA-45rp-9p97-h852

Published

2026-03-02T16:19:42.424Z

Modified

2026-03-03T02:57:14.437154Z

Severity

6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

NocoDB: SQL Injection via DATEADD Formula

Details

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28399.json"
}

References

Affected packages

Git / github.com/nocodb/nocodb

Affected ranges

Type

GIT

Repo

https://github.com/nocodb/nocodb

Events

Introduced

Fixed

391834484b11c429e4ff5677538b3b2f16ca510d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.301.3"
        }
    ]
}

Affected versions

0.*

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.100.0

0.100.1

0.100.2

0.101.0

0.101.0-beta.0

0.101.2

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.106.0

0.106.0-beta.0

0.106.0-beta.1

0.106.1

0.107.0

0.107.0-beta.0

0.107.0-beta.1

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.108.0

0.108.0-beta.0

0.108.1

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.109.7

0.11.0

0.11.1

0.11.10

0.11.11

0.11.12

0.11.14

0.11.15

0.11.16

0.11.17

0.11.18

0.11.19

0.11.20

0.11.21

0.11.22

0.11.23

0.11.24

0.11.25

0.11.26

0.11.28

0.11.29

0.11.3

0.11.30

0.11.31

0.11.32

0.11.33

0.11.34

0.11.36

0.11.39

0.11.4

0.11.40

0.11.41

0.11.42

0.11.43

0.11.44

0.11.45

0.11.46

0.11.5

0.11.6

0.11.7

0.11.9

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.200.0

0.202.0

0.202.10

0.202.4

0.202.5

0.202.6

0.202.7

0.202.8

0.202.9

0.203.0

0.203.1

0.203.2

0.204.0

0.204.1

0.204.2

0.204.3

0.204.4

0.204.5

0.204.6

0.204.7

0.204.8

0.204.9

0.205.0

0.205.1

0.207.0

0.207.1

0.207.2

0.207.3

0.250.0

0.250.1

0.250.2

0.251.0

0.251.1

0.251.2

0.251.3

0.252.0

0.253.0

0.255.0

0.255.1

0.255.2

0.256.0

0.257.0

0.257.2

0.258.0

0.258.1

0.258.10

0.258.11

0.258.2

0.258.3

0.260.0

0.260.1

0.260.2

0.260.3

0.260.4

0.260.5

0.260.6

0.260.7

0.261.0

0.262.0

0.262.1

0.262.2

0.262.3

0.262.4

0.262.5

0.263.0

0.263.1

0.263.2

0.263.3

0.263.4

0.263.6

0.263.7

0.263.8

0.264.0

0.264.1

0.264.2

0.264.3

0.264.4

0.264.6

0.264.7

0.264.8

0.264.9

0.265.0

0.265.1

0.300.0

0.301.0

0.301.1

0.301.2

0.4.5

0.4.8

0.4.9

0.80.0

0.81.0

0.81.1

0.82.0

0.83.0

0.83.1

0.83.2

0.83.3

0.83.4

0.83.5

0.83.6

0.83.8

0.84.1

0.84.10

0.84.12

0.84.13

0.84.14

0.84.15

0.84.16

0.84.2

0.84.3

0.84.6

0.84.7

0.84.8

0.84.9

0.9

0.90.0

0.90.1

0.90.10

0.90.11

0.90.2

0.90.3

0.90.4

0.90.5

0.90.7

0.90.8

0.90.9

0.91.0

0.91.1

0.91.10

0.91.6

0.91.7

0.91.8

0.91.9

0.92.0

0.92.1

0.92.2

0.92.3

0.92.4

0.96.0

0.96.1

0.96.2

0.96.4

0.97.0

0.98.1

0.98.2

0.98.3

0.98.4

0.99.0

0.99.1

0.99.2

v0.*

v0.10.0

v0.4.2

v0.4.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28399.json"