CVE-2026-47375 | NocoDB is software for building databases as spreadsheets. P… | CVSS 6.0 MEDIUM

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, an authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT(...). The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during column creation and on every subsequent record read of the formula column. The vulnerability is specific to the Postgres mapping for ARRAYSORT in packages/nocodb/src/db/functionMappings/pg.ts. This vulnerability is fixed in 2026.04.1.

Metadata

CVE ID: CVE-2026-47375
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-19 19:22 UTC
Published: 2026-06-23 20:36 UTC
Last updated: 2026-06-23 20:36 UTC
Primary CWE: CWE-89
CWE-89: Improper Neutralization of Special Elements used in …
Vendor / Product: nocodb / nocodb
Sources: cve.org · NVD

Severity & Metrics

6.0 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H

Affected products (1)

Vendor	Product	Platform	Versions
nocodb	nocodb	—	< 2026.04.1

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.0	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H

References (1)

https://github.com/nocodb/nocodb/security/advisories/GHSA-cxv7-gmmp-228p https://github.com/nocodb/nocodb/security/advisories/GHSA-cxv7-gmmp-228p