CVE-2026-28401
Stored XSS in NocoDB Rich Text Cells via Unsanitized v-html
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nocodb | nocodb | to 0.301.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28401 is a stored Cross-Site Scripting (XSS) vulnerability in the npm package nocodb, affecting versions up to and including 0.301.2.'}, {'type': 'paragraph', 'content': "The issue occurs because rich text cell content is rendered using Vue's v-html directive without any sanitization, allowing HTML and scripts to be injected and executed."}, {'type': 'paragraph', 'content': 'Specifically, the markdown-it parser is configured with HTML parsing enabled, and the resulting content is directly injected into the DOM without filtering, enabling users with Editor roles to insert malicious scripts.'}, {'type': 'paragraph', 'content': 'This vulnerability corresponds to CWE-79 (Improper Neutralization of Input During Web Page Generation) and was fixed in version 0.301.3.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers with Editor roles to inject arbitrary HTML and scripts into rich text cells.
These malicious scripts execute in the context of any user viewing the affected cells, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the user.
Because the scripts are stored and executed for all viewers, the impact can be widespread within an organization using vulnerable versions of nocodb.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves stored Cross-Site Scripting (XSS) in rich text cells rendered via v-html without sanitization in NocoDB versions up to 0.301.2.'}, {'type': 'paragraph', 'content': 'Detection can involve inspecting the content of rich text cells for suspicious or malicious HTML or script tags that could be executed when rendered.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to stored content, network detection might be limited, but you can check the version of NocoDB running on your system to identify if it is vulnerable.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerable version include:'}, {'type': 'list_item', 'content': 'Check the installed NocoDB version via command line: `nocodb --version` or check the package.json if installed via npm: `npm list nocodb`.'}, {'type': 'list_item', 'content': "Search the database or spreadsheet cells for suspicious HTML or script tags using database queries or export and grep commands, for example: `grep -r '<script' /path/to/nocodb/data`."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade NocoDB to version 0.301.3 or later, where the vulnerability has been patched.
Until the upgrade can be applied, restrict Editor role permissions to trusted users only, as the vulnerability allows users with Editor roles to inject malicious scripts.
Avoid rendering rich text content using v-html without sanitization in any custom modifications or forks of NocoDB.
Consider implementing additional input sanitization or filtering mechanisms such as DOMPurify to prevent injection of malicious HTML or scripts.