CVE-2026-47383
Received Received - Intake
XSS in NocoDB via Unsanitized Row Comments

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47383
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in NocoDB allows an authenticated commenter to store HTML content in row comments that executes as script when other users hover over the comment in the expanded form view.

The issue arises because the comment write paths save the raw comment body without server-side sanitisation, and the expanded-form sidebar renders this stored content with HTML allowed, enabling script execution.

Even if script tags are stripped at write time, attribute-level payloads can still re-enter the DOM as live HTML on hover, leading to cross-site scripting (XSS).

This vulnerability was fixed in version 2026.05.1 of NocoDB.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where malicious scripts execute in the context of other users viewing the comments.

Such attacks can result in unauthorized actions performed on behalf of users, theft of sensitive information, session hijacking, or other malicious activities.

Because the vulnerability requires an authenticated commenter, it could be exploited by users with limited privileges to affect other users with potentially higher privileges.

Mitigation Strategies

The vulnerability is fixed in NocoDB version 2026.05.1. To mitigate this vulnerability, you should upgrade your NocoDB installation to version 2026.05.1 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47383. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart