CVE-2026-24769
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-02-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in NocoDB's attachment handling mechanism prior to version 0.301.0. Authenticated users can upload malicious SVG files containing embedded JavaScript. When other users view these attachments, the malicious script executes in their browsers under the application's origin, potentially compromising their accounts and data.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to account compromise, data exfiltration, and unauthorized actions performed on behalf of affected users. This means attackers could steal sensitive information, manipulate data, or perform actions as if they were the legitimate users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade NocoDB to version 0.301.0 or later, as this version patches the stored cross-site scripting (XSS) vulnerability in the attachment handling mechanism.