CVE-2026-47382: Nocodb Raw Argument Value Sqli
Direct injection of formula argument literal values (`.value`) into `knex.raw()`. This bypasses query parametrization and allows arbitrary SQL execution if a user provides malicious input. Validate the value against a strict allowedlist (e.g., 'asc', 'desc') before passing it to `knex.raw()`.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
TS
TSgreprules fetch cve-2026-47382-nocodb-raw-argument-value-sqli --engine opengrepDescription
Direct injection of formula argument literal values (`.value`) into `knex.raw()`. This bypasses query parametrization and allows arbitrary SQL execution if a user provides malicious input. Validate the value against a strict allowedlist (e.g., 'asc', 'desc') before passing it to `knex.raw()`.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0