CVE-2026-47279: Nocodb Knex Raw Ast Injection
Directly passing the `.value` of an AST argument (like `pt.arguments[1]?.value`) to `knex.raw()` without validation can lead to SQL injection. Ensure the variable is validated against a strict allowlist (e.g., 'asc', 'desc') before usage.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
TS
TSgreprules fetch cve-2026-47279-nocodb-knex-raw-ast-injection --engine opengrepDescription
Directly passing the `.value` of an AST argument (like `pt.arguments[1]?.value`) to `knex.raw()` without validation can lead to SQL injection. Ensure the variable is validated against a strict allowlist (e.g., 'asc', 'desc') before usage.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0