Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) in the Formula virtual cell
Action: Patch
AI Analysis

Impact

A stored XSS vulnerability resides in NocoDB’s Formula virtual cell. When a Formula result contains a URI::() pattern, the result is rendered via v-html without sanitization, enabling injected HTML to be executed in a user’s browser. This flaw allows an attacker who can insert or modify Formula data to execute arbitrary client‑side scripts, potentially stealing credentials or defacing the application.

Affected Systems

All installations of NocoDB prior to version 0.301.3 are affected. The vulnerability is specific to the Formula virtual cell feature within the NocoDB product.

Risk and Exploitability

The flaw has a CVSS score of 5.3, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Because it requires an attacker to submit malicious Formula input, the risk primarily applies to systems where users can freely edit Formula cells.

Generated by OpenCVE AI on April 16, 2026 at 14:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 0.301.3 or later, which patches the vulnerability.
  • If an immediate upgrade is not possible, restrict or disable Formula virtual cells for untrusted users, or implement input filtering to sanitize URI::() patterns before rendering.
  • Ensure that only authorized personnel have permission to modify or create Formula cells, and audit such changes for suspicious content.

Generated by OpenCVE AI on April 16, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vx5p-q85x-xm3c NocoDB has Stored Cross-site Scripting via Formula Cell
History

Tue, 03 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 02 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3.
Title NocoDB: Stored Cross-Site Scripting via Formula Cell
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T16:50:36.400Z

Reserved: 2026-02-26T18:38:13.890Z

Link: CVE-2026-28357

cve-icon Vulnrichment

Updated: 2026-03-02T16:50:18.800Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:33.797

Modified: 2026-03-03T18:57:07.740

Link: CVE-2026-28357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses