CVE-2026-47384

An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.

The bulk groupBy path in group-by.ts builds three database-specific knex.raw() aggregations that interpolate the request's column name directly into the SQL string. Column lookup in data-table.service.ts matches on both the sanitized column name field and the free-text title, so a title containing a SQL fragment bypasses the public endpoint's existing column allowlist and reaches the query builder unescaped.

SQL injection against the connected database with read access to any expression an attacker can place in a column title. Exploitation requires an authenticated session with permission to create or rename columns.

This issue was reported by @geo-chen.