CVE-2026-28359
HTML Injection in NocoDB Rich Text Cells via API Abuse
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28359 is a Stored Cross-Site Scripting (XSS) vulnerability in the npm package nocodb, affecting versions up to and including 0.301.2.'}, {'type': 'paragraph', 'content': "An authenticated user with an Editor role can bypass the TipTap editor's client-side HTML sanitization by sending raw HTML directly through the API into Rich Text cells."}, {'type': 'paragraph', 'content': 'The backend stores this raw HTML without any server-side sanitization, and when the content is rendered, it is processed without sanitization, allowing malicious scripts to execute in the browsers of users viewing the affected cells.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and was fixed in version 0.301.3.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker with Editor access to inject malicious HTML and scripts into Rich Text cells, which will be executed in the browsers of users who view those cells.
As a result, it can lead to unauthorized actions such as stealing user credentials, session hijacking, or performing actions on behalf of other users.
This can compromise the security and integrity of your data and user interactions within the nocodb application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an authenticated user with Editor role injecting arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. Detection involves monitoring API requests for raw HTML content submissions that bypass the normal editor sanitization.'}, {'type': 'paragraph', 'content': 'You can detect attempts by inspecting API traffic for suspicious payloads containing raw HTML or script tags in Rich Text cell updates.'}, {'type': 'list_item', 'content': 'Use network traffic capture tools like tcpdump or Wireshark to monitor API requests to the NocoDB backend.'}, {'type': 'list_item', 'content': 'Use command-line tools such as curl or httpie to manually test the API by sending raw HTML payloads to Rich Text cells and observe if they are accepted.'}, {'type': 'list_item', 'content': 'Example curl command to test injection (replace URL and authentication accordingly):\ncurl -X POST https://your-nocodb-instance/api/v1/endpoint -H \'Authorization: Bearer <token>\' -H \'Content-Type: application/json\' -d \'{"richTextCell": "<script>alert(1)</script>"}\''}, {'type': 'list_item', 'content': 'Check stored data in the database for presence of raw HTML or script tags in Rich Text cells.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade NocoDB to version 0.301.3 or later, where this vulnerability has been patched.
Until the upgrade can be applied, restrict Editor role permissions to trusted users only to reduce the risk of exploitation.
Implement additional server-side sanitization or validation of HTML content submitted via the API to prevent raw HTML injection.
Monitor and audit API usage for suspicious raw HTML submissions.