Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
NocoDB: Malicious Code Can Run on Any User's Browser
CVE-2026-28398
GHSA-8vm4-g489-v3w7
Summary
NocoDB has a security flaw that allows attackers to inject malicious code into comments and text areas. This code can run on any user's browser, compromising their security. To fix this, NocoDB developers should update their code to properly sanitize user input, and users should update to the latest version of NocoDB.
What to do
- Update pranavxc nocodb to version 0.301.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| pranavxc | nocodb | <= 0.301.2 | 0.301.3 |
| nocodb | nocodb | <= 0.301.3 | – |
Original title
NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells
Original description
### Summary
User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS.
### Details
Comments in `Comments.vue` and rich text in `TextArea.vue` were parsed by markdown-it with `html: true` and injected via `v-html`. The codebase had `vue-dompurify-html` available but these paths used raw `v-html`. Server-side, `Comment.insert()` used `extractProps()` instead of `extractPropsAndSanitize()`.
Commenter role is sufficient for the comments vector; Editor role for rich text.
This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.
### Impact
Stored XSS — malicious scripts execute for any user viewing the comment or cell.
### Credit
This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).
User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS.
### Details
Comments in `Comments.vue` and rich text in `TextArea.vue` were parsed by markdown-it with `html: true` and injected via `v-html`. The codebase had `vue-dompurify-html` available but these paths used raw `v-html`. Server-side, `Comment.insert()` used `extractProps()` instead of `extractPropsAndSanitize()`.
Commenter role is sufficient for the comments vector; Editor role for rich text.
This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.
### Impact
Stored XSS — malicious scripts execute for any user viewing the comment or cell.
### Credit
This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).
nvd CVSS3.1
5.4
nvd CVSS4.0
5.3
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026