Home / Vulnerability Intelligence / CVE-2026-28399

CVE-2026-28399 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 3, 2026

NocoDB - SQL Injection

Published: March 2, 2026Updated: March 3, 2026Remote Exploitable

Overview

NocoDB < 0.301.3 contains a SQL injection caused by improper sanitization of the DATEADD formula's unit parameter, letting authenticated users with Creator role execute arbitrary SQL commands.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.9%(Probability of exploitation in next 30 days)

Impact

Authenticated users with Creator role can execute arbitrary SQL commands, potentially compromising database integrity and confidentiality.

Mitigation

Upgrade to version 0.301.3 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 4, 2026

🟠 CVE-2026-28399 - High (8.8) NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28399/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28399
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: confirmed
EPSS: 4.9%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.9%Probability of exploitation in the next 30 days