CVE-2026-28397
Stored XSS in NocoDB Comments via Unsanitized v-html Rendering
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-28397 is a stored Cross-Site Scripting (XSS) vulnerability in the npm package nocodb, affecting versions up to 0.301.2. The issue occurs because comments are rendered using Vue's v-html directive without sanitizing the HTML content. Specifically, comments are processed with markdown-it configured to allow HTML, and then injected directly into the DOM without using sanitization libraries like DOMPurify. This allows a user with the Commenter role to inject arbitrary HTML and JavaScript code that executes in the browsers of other users viewing those comments."}, {'type': 'paragraph', 'content': 'This vulnerability is classified as CWE-79, which refers to improper neutralization of input during web page generation, leading to stored XSS attacks.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with commenting privileges to inject malicious scripts into the application that will execute in the browsers of other users viewing the affected comments. This can lead to theft of user credentials, session hijacking, defacement, or distribution of malware.
Because the malicious code is stored and served to all users who view the comments, the impact is widespread and persistent until the vulnerability is patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by inspecting the Comments.vue component in the affected nocodb versions (up to 0.301.2) to see if comments are rendered using Vue's v-html directive without sanitization."}, {'type': 'paragraph', 'content': 'Since the issue involves stored XSS via comments, you can test by submitting comments containing harmless HTML or JavaScript payloads and observing if they execute when viewed by other users.'}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources, but general detection steps include:'}, {'type': 'list_item', 'content': 'Review the nocodb version installed to check if it is older than 0.301.3.'}, {'type': 'list_item', 'content': 'Use web application security scanners that detect stored XSS vulnerabilities.'}, {'type': 'list_item', 'content': 'Manually test the comment input fields by injecting test scripts and observing if they execute.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade nocodb to version 0.301.3 or later, where this vulnerability has been patched.
Until the upgrade can be performed, consider restricting the Commenter role permissions to trusted users only to reduce the risk of malicious comment injection.
Additionally, applying input sanitization or output encoding on comments before rendering them with v-html can help mitigate the risk.