logo

Database

Server side cross-site scripting In nocodb

Description

NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

Summary

Rich text cell content rendered via v-html without sanitization, enabling stored XSS.

Details

Rich text in TextArea.vue was parsed by markdown-it with html: true and injected via v-html without DOMPurify. A user with Editor role can inject arbitrary HTML that executes for all viewers.

Impact

Stored XSS — malicious scripts execute for any user viewing the cell.

Credit

This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stockli) and @m-y-mo (Man Yue Mo).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-284012. NVD-2026-284013. OSV-2026-284014. GHSA-wwp2-x4rj-j8rm5. GCVE-2026-28401

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm2. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.