Primary

Context

NocoDB SQL Injection Vulnerability in DATEADD Formula

Vulnerability

Patched

A SQL injection vulnerability has been identified in NocoDB versions prior to 0.301.3. This issue allows authenticated users with the Creator role to inject arbitrary SQL through the DATEADD formula's unit parameter. The vulnerability arises because the unit parameter was directly interpolated into SQL queries without proper validation, leaving affected MySQL, PostgreSQL, and SQLite function mappings open to exploitation.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling data exfiltration or modification within the connected database.

Remediation

Users can upgrade to NocoDB version 0.301.3 or later to address this vulnerability.

Added: Mar 2, 2026, 5:19 PM

Updated: Mar 2, 2026, 9:13 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

4.8

remediation

7.7

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

4.8

remediation

7.7

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NocoDB SQL Injection Vulnerability in DATEADD Formula

Vulnerability

Impact

Remediation

Affected Products

NocoDB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating