Fluid Attacks Database

Description

NocoDB: Stored Cross-Site Scripting via Row Comments

Summary

An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view.

Details

The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover.

Impact

Stored Cross-Site Scripting against any user who views the affected row. Script runs in the NocoDB origin with the victim's session and can read the auth JWT from localStorage. Authentication and comment permission are required.

Credit

This issue was reported by @DavidCarliez. It was independently reported by @Mouhebbenelwafi.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	nocodb	>=0 <2026.05.1	2026.05.1

Aliases

1. CVE-2026-473832. NVD-2026-473833. OSV-2026-473834. GHSA-jf3g-4gwg-4h665. GCVE-2026-47383

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-jf3g-4gwg-4h662. https://github.com/nocodb/nocodb/releases/tag/2026.05.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.