Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28359 is a Stored Cross-Site Scripting (XSS) vulnerability in the npm package nocodb, affecting versions up to and including 0.301.2.'}, {'type': 'paragraph', 'content': "An authenticated user with an Editor role can bypass the TipTap editor's client-side HTML sanitization by sending raw HTML directly through the API into Rich Text cells."}, {'type': 'paragraph', 'content': 'The backend stores this raw HTML without any server-side sanitization, and when the content is rendered, it is processed without sanitization, allowing malicious scripts to execute in the browsers of users viewing the affected cells.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and was fixed in version 0.301.3.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with Editor access to inject malicious HTML and scripts into Rich Text cells, which will be executed in the browsers of users who view those cells.

As a result, it can lead to unauthorized actions such as stealing user credentials, session hijacking, or performing actions on behalf of other users.

This can compromise the security and integrity of your data and user interactions within the nocodb application.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an authenticated user with Editor role injecting arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. Detection involves monitoring API requests for raw HTML content submissions that bypass the normal editor sanitization.'}, {'type': 'paragraph', 'content': 'You can detect attempts by inspecting API traffic for suspicious payloads containing raw HTML or script tags in Rich Text cell updates.'}, {'type': 'list_item', 'content': 'Use network traffic capture tools like tcpdump or Wireshark to monitor API requests to the NocoDB backend.'}, {'type': 'list_item', 'content': 'Use command-line tools such as curl or httpie to manually test the API by sending raw HTML payloads to Rich Text cells and observe if they are accepted.'}, {'type': 'list_item', 'content': 'Example curl command to test injection (replace URL and authentication accordingly):\ncurl -X POST https://your-nocodb-instance/api/v1/endpoint -H \'Authorization: Bearer <token>\' -H \'Content-Type: application/json\' -d \'{"richTextCell": "<script>alert(1)</script>"}\''}, {'type': 'list_item', 'content': 'Check stored data in the database for presence of raw HTML or script tags in Rich Text cells.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade NocoDB to version 0.301.3 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict Editor role permissions to trusted users only to reduce the risk of exploitation.

Implement additional server-side sanitization or validation of HTML content submitted via the API to prevent raw HTML injection.

Monitor and audit API usage for suspicious raw HTML submissions.

Useful 0 Not Useful 0