NocoDB: Stored Cross-Site Scripting Risk in Rich Text Cells

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

NocoDB: Stored Cross-Site Scripting Risk in Rich Text Cells

CVE-2026-28401 GHSA-wwp2-x4rj-j8rm GHSA-wwp2-x4rj-j8rm

Summary

NocoDB's rich text feature allows attackers to inject malicious scripts that can execute on any user's browser when they view a cell with such content. This is a security risk because it can lead to unauthorized actions or data theft. To mitigate this, update NocoDB to the latest version or apply the recommended fix.

What to do

Update pranavxc nocodb to version 0.301.3.

Affected software

Vendor	Product	Affected versions	Fix available
pranavxc	nocodb	<= 0.301.2	0.301.3
nocodb	nocodb	<= 0.301.3	–
pranavxc	nocodb	<= 0.301.3	0.301.3

Original title

NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

Original description

### Summary
Rich text cell content rendered via `v-html` without sanitization, enabling stored XSS.

### Details
Rich text in `TextArea.vue` was parsed by markdown-it with `html: true` and injected via `v-html` without DOMPurify. A user with Editor role can inject arbitrary HTML that executes for all viewers.

### Impact
Stored XSS — malicious scripts execute for any user viewing the cell.

### Credit
This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members [@p-](https://github.com/p-) (Peter Stockli) and [@m-y-mo](https://github.com/m-y-mo) (Man Yue Mo).

nvd CVSS3.1 5.4

nvd CVSS4.0 5.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://nvd.nist.gov/vuln/detail/CVE-2026-28401
https://github.com/advisories/GHSA-wwp2-x4rj-j8rm
https://github.com/nocodb/nocodb/releases/tag/0.301.3 Product Release Notes
https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm Vendor Advisory
https://github.com/nocodb/nocodb Product

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026