CVE-2026-53929
Received Received - Intake
Stored XSS via HTML/SVG Attachments in NocoDB

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB versions prior to 2026.05.1 when the NC_SECURE_ATTACHMENTS setting is enabled. An authenticated uploader could upload .html or .svg files that the browser would render inline from the NocoDB origin instead of forcing the files to be downloaded.

The root cause is a mismatch in how response-header overrides are stored and read: the signed attachment handler stores headers with PascalCase keys (e.g., ResponseContentDisposition), but the controller serving the file reads them using lowercase-hyphen keys (e.g., response-content-disposition). This mismatch causes the Content-Disposition: attachment header to be dropped, allowing Express to auto-render certain file types inline.

This behavior could lead to unintended inline rendering of potentially unsafe HTML or SVG files uploaded by authenticated users.

Impact Analysis

The vulnerability can lead to security risks such as cross-site scripting (XSS) or content injection because .html or .svg files uploaded by authenticated users are rendered inline by the browser instead of being downloaded.

This could allow attackers to execute malicious scripts in the context of the NocoDB origin, potentially compromising user data or session information.

The impact is rated with a CVSS base score of 5.1, indicating a medium severity vulnerability that requires low privileges but user interaction.

Mitigation Strategies

To mitigate this vulnerability, upgrade NocoDB to version 2026.05.1 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart