PT-2022-15257 · Nocodb · Nocodb

Published

2022-01-10

Updated

2025-08-26

CVE-2022-22121

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions NocoDB versions 0.81.0 through 0.83.8

Description The issue allows a low privileged attacker to inject payloads into table rows by creating a new table. When an administrator accesses the "User Management endpoint" and exports the data as a CSV file, then opens it, the payload gets executed. This is a result of a CSV Injection vulnerability, also known as Formula Injection.

Recommendations For versions 0.81.0 through 0.83.8, consider restricting access to the User Management endpoint to minimize the risk of exploitation. As a temporary workaround, avoid exporting data as a CSV file from the User Management endpoint until a patch is available.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2022-22121

Affected Products

Nocodb

PT-2022-15257 · Nocodb · Nocodb

CVE-2022-22121

Weakness Enumeration

Related Identifiers

Affected Products

References · 6