CVE-2026-47383
Deferred Deferred - Pending Action

XSS in NocoDB via Unsanitized Row Comments

Vulnerability report for CVE-2026-47383, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-25
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in NocoDB allows an authenticated commenter to store HTML content in row comments that executes as script when other users hover over the comment in the expanded form view.

The issue arises because the comment write paths save the raw comment body without server-side sanitisation, and the expanded-form sidebar renders this stored content with HTML allowed, enabling script execution.

Even if script tags are stripped at write time, attribute-level payloads can still re-enter the DOM as live HTML on hover, leading to cross-site scripting (XSS).

This vulnerability was fixed in version 2026.05.1 of NocoDB.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where malicious scripts execute in the context of other users viewing the comments.

Such attacks can result in unauthorized actions performed on behalf of users, theft of sensitive information, session hijacking, or other malicious activities.

Because the vulnerability requires an authenticated commenter, it could be exploited by users with limited privileges to affect other users with potentially higher privileges.

Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.05.1. To mitigate this vulnerability, you should upgrade your NocoDB installation to version 2026.05.1 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47383. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart