Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28398 is a stored Cross-Site Scripting (XSS) vulnerability in the npm package nocodb, affecting versions up to 0.301.2 and fixed in version 0.301.3.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because user-controlled content in comments and rich text cells is rendered using Vue's v-html directive without proper sanitization. Specifically, comments and rich text are parsed with markdown-it allowing raw HTML injection and then directly injected via v-html, bypassing the sanitization library vue-dompurify-html."}, {'type': 'paragraph', 'content': 'On the server side, input is not sanitized before storage due to the use of extractProps() instead of the safer extractPropsAndSanitize() method.'}, {'type': 'paragraph', 'content': 'This allows attackers with Commenter or Editor roles to inject malicious scripts that execute in the browsers of users viewing the affected content.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This stored XSS vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected comments or rich text cells.

Such script execution can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the victim.

Because the vulnerability is stored, the malicious payload persists and affects all users who access the compromised content.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves stored Cross-Site Scripting (XSS) in user-controlled content within comments and rich text cells rendered via v-html without sanitization. Detection involves identifying if your NocoDB instance is running a vulnerable version (up to 0.301.2) and checking for malicious scripts in comments or rich text cells.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by verifying the NocoDB version with a command such as:'}, {'type': 'list_item', 'content': 'npm list nocodb'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can monitor HTTP requests or database entries for suspicious HTML or script tags in comments or rich text fields. For example, searching the database for script tags in comments or rich text cells could be done with a query like:'}, {'type': 'list_item', 'content': "SELECT * FROM comments WHERE content LIKE '%<script>%';"}, {'type': 'list_item', 'content': "SELECT * FROM rich_text_cells WHERE content LIKE '%<script>%';"}, {'type': 'paragraph', 'content': 'Additionally, monitoring web traffic for unusual payloads or using web application scanners that detect stored XSS vulnerabilities can help identify exploitation.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade NocoDB to version 0.301.3 or later, where the vulnerability has been patched.

Until the upgrade can be applied, consider restricting user roles that can add comments or edit rich text cells, as the vulnerability can be exploited by users with Commenter and Editor roles.

Additionally, review and sanitize existing comments and rich text cells to remove any malicious scripts.

Implement web application firewall (WAF) rules to detect and block common XSS payloads targeting your NocoDB instance.

Useful 0 Not Useful 0