Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue.
Published: 2026-01-28
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting enabling account takeover
Action: Patch Immediately
AI Analysis

Impact

NocoDB’s attachment handling has a stored cross‑site scripting flaw where authenticated users can upload malicious SVG files that contain JavaScript. When another user opens the attachment the script runs in the context of the application’s origin, potentially compromising the viewing account and allowing data exfiltration or unauthorized actions. The weakness is classified as CWE‑79 (XSS) and CWE‑434 (Improper Restriction of XML or other code syntaxes).

Affected Systems

The vulnerability affects all installations of NocoDB prior to version 0.301.0; the product is distributed under the name NocoDB and is identified in the NOCODB namespace. Any deployment of these earlier releases with enabled SVG upload capability is vulnerable.

Risk and Exploitability

The CVSS base score is 8.5, indicating high severity, but the current EPSS score is less than 1%, suggesting that exploitation is unlikely at the present time. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user to upload a crafted SVG and a second user to view it; once the payload executes, the attacker can compromise the victim’s account and perform actions as that user.

Generated by OpenCVE AI on April 18, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 0.301.0 or later to apply the vendor fix
  • If an upgrade cannot be performed immediately, disable SVG uploads or enforce a strict whitelist of safe file types
  • Ensure that attachments are served with safe MIME types or sanitized before display to prevent embedded script execution

Generated by OpenCVE AI on April 18, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q5c6-h22r-qpwr NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload
History

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Thu, 29 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Wed, 28 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue.
Title NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload
Weaknesses CWE-434
CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T14:02:12.813Z

Reserved: 2026-01-26T21:06:47.868Z

Link: CVE-2026-24769

cve-icon Vulnrichment

Updated: 2026-01-29T14:01:36.098Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T21:16:12.587

Modified: 2026-02-04T20:01:56.087

Link: CVE-2026-24769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses