Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

NocoDB previously allowed user‑controlled comments and rich text cells to be rendered with Vue's v-html directive without sanitization. An attacker who can create or modify content in these fields can embed JavaScript that will execute in the browsers of any user who views the affected record, enabling session hijacking, data exfiltration, or UI defacement. The flaw is a typical stored XSS vulnerability as identified by CWE‑79.

Affected Systems

The vulnerability applies to the NocoDB platform from any version before 0.301.3. The affected product is identified as "NocoDB"; all earlier releases are vulnerable once a user can add or edit comments or rich text cells. The issue was addressed in release 0.301.3, so any instance running 0.301.3 or later is no longer susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, which further implies that no known large‑scale attacks are currently associated with it. Attackers would need access to the NocoDB UI to inject malicious content, making the attack vector local or requiring compromised user credentials. Overall, the risk is moderate, but the exploitation likelihood remains low under normal circumstances.

Generated by OpenCVE AI on April 16, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 0.301.3 or later, which includes the input sanitization fix for comments and rich text cells.
  • If an upgrade is not immediately possible, restrict write access to the comment and rich text fields or implement server‑side sanitization to neutralize script tags before storage.
  • Implement web‑application security controls such as Content Security Policy and X‑SSEnforcement headers to mitigate the impact of any remaining XSS payloads.
  • Monitor user activity logs for unexpected script insertions and review rendered content for signs of exploitation.

Generated by OpenCVE AI on April 16, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8vm4-g489-v3w7 NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells
History

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3.
Title NocoDB: Stored Cross-Site Scripting via Comments and Rich Text Cells
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T15:55:30.946Z

Reserved: 2026-02-27T15:33:57.288Z

Link: CVE-2026-28398

cve-icon Vulnrichment

Updated: 2026-03-03T15:55:26.527Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:34.923

Modified: 2026-03-03T19:01:49.407

Link: CVE-2026-28398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses