Fluid Attacks Database

Description

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Summary

An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.

Details

The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content is rendered via v-html in TextArea.vue through NcMarkdownParser.parse() which performs no sanitization.

Impact

Stored XSS — malicious scripts execute for any user viewing the cell.

Credit

This issue was reported by @Akokonunes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	nocodb	>=0 <0.301.3	0.301.3

Aliases

1. CVE-2026-283592. NVD-2026-283593. OSV-2026-283594. GHSA-qxwq-q265-hc445. GCVE-2026-28359

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc442. https://github.com/nocodb/nocodb/releases/tag/0.301.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.