logo

Database

Server side cross-site scripting In nocodb

Description

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

Summary

User-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS.

Details

Comments in Comments.vue and rich text in TextArea.vue were parsed by markdown-it with html: true and injected via v-html. The codebase had vue-dompurify-html available but these paths used raw v-html. Server-side, Comment.insert() used extractProps() instead of extractPropsAndSanitize().

Commenter role is sufficient for the comments vector; Editor role for rich text.

This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.

Impact

Stored XSS — malicious scripts execute for any user viewing the comment or cell.

Credit

This issue was reported by @bugbunny-research (bugbunny.ai).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-283982. NVD-2026-283983. OSV-2026-283984. GHSA-8vm4-g489-v3w75. GCVE-2026-28398

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w72. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-1PXWG – Vulnerability | Fluid Attacks Database