CVE-2026-28357
Stored XSS in NocoDB Formula Virtual Cell Allows Code Execution
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28357 is a stored Cross-Site Scripting (XSS) vulnerability in the NocoDB software, specifically in the Formula virtual cell feature prior to version 0.301.3.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because formula results containing URI::() patterns are rendered using Vue's v-html directive without proper sanitization, allowing injected HTML and JavaScript to execute."}, {'type': 'paragraph', 'content': 'An attacker with at least the Creator role can craft malicious formulas that inject arbitrary HTML or scripts, which then execute in the browsers of users viewing the affected table.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary script execution in the browsers of users who view the affected NocoDB tables.
Such script execution can be used to steal user credentials or perform other malicious actions within the context of the affected users.
Because the vulnerability requires at least the Creator role to exploit, an attacker with this level of access can compromise the security of other users interacting with the database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the presence of malicious formula fields in NocoDB instances running versions prior to 0.301.3. Specifically, look for formula virtual cells containing URI::() patterns combined with injected HTML or JavaScript code.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored XSS in formula fields, detection involves reviewing formulas for suspicious concatenations that include HTML tags or event handlers.'}, {'type': 'paragraph', 'content': "There are no specific commands provided in the resources, but you can use database queries or API calls to extract formula definitions and search for patterns like 'URI::(' combined with HTML tags such as '<img', '<script', or event handlers like 'onerror'."}, {'type': 'paragraph', 'content': 'For example, if you have access to the database or API, you might run queries to find formula fields containing suspicious strings.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade NocoDB to version 0.301.3 or later, where this stored XSS vulnerability has been patched.
Until the upgrade is applied, restrict the ability to create or modify formula fields to trusted users only, as the vulnerability requires at least Creator role permissions.
Additionally, review existing formula fields for suspicious content and remove or sanitize any formulas that contain potentially malicious HTML or JavaScript.