Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via unsanitized comments in NocoDB
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows attackers to embed malicious JavaScript into comments that are rendered via v-html without any sanitization. This stored cross‑site scripting can execute arbitrary code in the browser context of any user who views the comment, potentially leading to session hijacking, data exfiltration, or defacement of the application. The weakness aligns with the Common Weakness Enumeration CWE‑79, a client‑side XSS flaw.

Affected Systems

NocoDB installations running versions prior to 0.301.3 are affected. The vulnerability has been patched in release 0.301.3 and later. All earlier releases that include the comment feature are susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity impact, while the EPSS score of less than 1% suggests a very low probability of public exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be local via the comment interface; an attacker can inject a payload that will be executed when any user views the comment. This inference is based on the description and is not explicitly stated in the CVE data. The attack appears relatively simple to execute but relies on the availability of the comment feature and may require authenticated access to add the malicious comment.

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 0.301.3 or later where the comment rendering is sanitized
  • If upgrading is not immediately possible, disable the comment feature or remove the v-html rendering to eliminate the storage of unsanitized HTML
  • Implement a Content Security Policy that restricts inline script execution and limits third‑party script sources to further mitigate the impact of any residual XSS attempts

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rcph-x7mj-54mm NocoDB Vulnerable to Stored Cross-site Scripting via Comments
History

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3.
Title NocoDB: Stored Cross-Site Scripting via Comments
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T15:56:01.193Z

Reserved: 2026-02-27T15:33:57.288Z

Link: CVE-2026-28397

cve-icon Vulnrichment

Updated: 2026-03-03T15:55:55.544Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:34.777

Modified: 2026-03-03T19:01:30.623

Link: CVE-2026-28397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses