NocoDB, a spreadsheet‑style database builder, stored a cross‑site scripting vulnerability in versions older than 2026.05.1 when the NC_SECURE_ATTACHMENTS=true setting was enabled. An authenticated uploader could submit an .html or .svg file; because the system saved header overrides under PascalCase keys but the download controller consulted them under dash‑separated lowercase names, the Content‑Disposition: attachment header was omitted. Express then served the file inline, rendering the malicious payload directly in the browser. Execution of that payload in the context of any authenticated session could steal session cookies, deface content, or carry out other browser‑based attacks. This flaw is a classic stored XSS, identified as CWE‑79.

Affected are NocoDB deployments of any version prior to 2026.05.1 that have the secure‑attachment feature enabled. Any authenticated uploader can create an .html or .svg file that will be served with an inline rendering policy, allowing any authenticated user who later accesses the file to have the payload executed in their browser.

The CVSS score of 5.1 indicates moderate severity. The EPSS score is not available, so current exploitation likelihood is unknown, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is web‑based and requires an authenticated session with upload privileges to inject the malicious file and a second authenticated session to trigger its rendering. No server‑side privilege escalation is required. Consequently, the risk is moderate but should be mitigated promptly by applying the vendor patch.