Fluid Attacks Database

Description

NocoDB has Stored Cross-site Scripting via Formula Cell

Summary

A stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute.

Details

The replaceUrlsWithLink() function in urlUtils.ts converts URI::(url) patterns to <a> tags but passes all other HTML through unchanged. A user with Creator role (minimum role for formula field creation) can craft a formula like CONCAT("URI::(https://example.com)", "<img src=x onerror=...>") to inject arbitrary scripts rendered for all viewers.

Impact

Credential theft via script execution in the context of users viewing the table.

Credit

This issue was reported by @Akokonunes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	nocodb	>=0 <0.301.3	0.301.3

Aliases

1. CVE-2026-283572. NVD-2026-283573. OSV-2026-283574. GHSA-vx5p-q85x-xm3c5. GCVE-2026-28357

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-vx5p-q85x-xm3c2. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.