SQL Injection in Nocodb
CVE-2026-47384
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment. The bulk groupB…
Vulnerability class: SQL Injection
Affected products
- Nocodb — versions < 2026.05.1
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)