Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

NocoDB allows users to create databases and interact with them through spreadsheet‑like interfaces. In versions prior to 0.301.3 an authenticated user who has an Editor role can bypass the built‑in TipTap editor and submit raw HTML directly to Rich Text cells via the API. This results in a stored Cross‑Site Scripting vulnerability, meaning the malicious script becomes part of the database record and will be rendered on any subsequent page that displays the cell content, potentially compromising the confidentiality, integrity, or availability of user sessions.

Affected Systems

Affected product: NocoDB, all releases before 0.301.3. An authenticated user with Editor privileges can exploit the flaw. The issue is confined to the web application layer, with no specific operating system dependency.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the medium severity range, and the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. Although the flaw is not listed in the CISA KEV catalog, it can be leveraged by any user who has been granted Editor permissions. Attackers would need local authentication to the NocoDB instance; therefore, the attack vector is internal, but once authenticated users can inject persistent malicious content that will affect all users who view the affected Rich Text cells.

Generated by OpenCVE AI on April 16, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NocoDB release 0.301.3 or later to receive the fix for the Rich Text field injection flaw.
  • If an upgrade cannot be performed immediately, restrict the use of Rich Text fields to read‑only or remove existing content that may contain raw HTML, and limit Editor role permissions to trusted users only.
  • Ensure that any remaining APIs or interfaces that accept Rich Text input disable raw HTML and properly sanitize content until the application is updated.

Generated by OpenCVE AI on April 16, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qxwq-q265-hc44 NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field
History

Tue, 03 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3.
Title NocoDB: Stored Cross-Site Scripting via Rich Text Field
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T16:07:12.875Z

Reserved: 2026-02-26T18:38:13.890Z

Link: CVE-2026-28359

cve-icon Vulnrichment

Updated: 2026-03-03T16:07:06.073Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:34.120

Modified: 2026-03-03T18:57:42.023

Link: CVE-2026-28359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:45:25Z

Weaknesses