NocoDB: Malicious Scripts Can Run in Stored Rich Text Cells

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

NocoDB: Malicious Scripts Can Run in Stored Rich Text Cells

CVE-2026-28359 GHSA-qxwq-q265-hc44

Summary

An attacker with Editor permissions can inject malicious code into NocoDB's Rich Text fields, which can run for any user viewing the affected content. This is a security risk because it allows an attacker to take control of user sessions and potentially steal sensitive information. To protect your data, update NocoDB to the latest version and consider limiting user permissions.

What to do

Update pranavxc nocodb to version 0.301.3.

Affected software

Vendor	Product	Affected versions	Fix available
pranavxc	nocodb	<= 0.301.2	0.301.3
nocodb	nocodb	<= 0.301.3	–

Original title

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Original description

### Summary
An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.

### Details
The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content is rendered via `v-html` in `TextArea.vue` through `NcMarkdownParser.parse()` which performs no sanitization.

### Impact
Stored XSS — malicious scripts execute for any user viewing the cell.

### Credit
This issue was reported by [@Akokonunes](https://github.com/Akokonunes).

nvd CVSS3.1 5.4

nvd CVSS4.0 5.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://nvd.nist.gov/vuln/detail/CVE-2026-28359
https://github.com/advisories/GHSA-qxwq-q265-hc44
https://github.com/nocodb/nocodb/releases/tag/0.301.3 Product Release Notes
https://github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc44 Vendor Advisory

Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026