Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3.
Published: 2026-03-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

NocoDB’s rich‑text cells were rendered using Vue.js’ v‑html directive without any input sanitization, allowing an attacker to store malicious scripts that execute in the browser of any user who views the affected cell. The vulnerability can be used to steal authentication tokens, deface content, or perform session hijacking by leveraging a client‑side exploit that does not require elevated server privileges. The weakness is a classic input validation fault (CWE‑79).

Affected Systems

The flaw affects all NocoDB installations running versions earlier than 0.301.3. The patch that disables unsanitized rendering was introduced in release 0.301.3. Any deployment that has not yet migrated to this or later versions remains vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact from the data‑broad perspective. The EPSS score is less than 1 percent, suggesting a very low exploitation probability at the time of this analysis. The vulnerability is not listed in CISA’s KEV catalog, further indicating that widespread exploitation has not been observed. Attackers are likely to target users who can edit rich‑text cells, making the exploitation vector an interactive attack where the attacker gains editing permissions or convinces a user with those permissions to insert malicious content.

Generated by OpenCVE AI on April 16, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 0.301.3 or later to apply the vendor fix.
  • If an upgrade is not immediately possible, restrict editing rights for the rich‑text cell columns to trusted users only, limiting the injection surface area.
  • Implement application‑level content sanitization for any rich‑text input to guard against future unsanitized rendering flaws.

Generated by OpenCVE AI on April 16, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wwp2-x4rj-j8rm NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells
History

Tue, 03 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
CPEs cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*
Vendors & Products Nocodb
Nocodb nocodb
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3.
Title NocoDB: Stored Cross-Site Scripting via Rich Text Cells
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T15:53:33.578Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28401

cve-icon Vulnrichment

Updated: 2026-03-03T15:53:30.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:35.220

Modified: 2026-03-03T19:02:19.160

Link: CVE-2026-28401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses