NocoDB Comments Can Execute Malicious Scripts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

NocoDB Comments Can Execute Malicious Scripts

CVE-2026-28397 GHSA-rcph-x7mj-54mm

Summary

NocoDB's comment feature allows a malicious user with a certain role to inject code that can execute on other users' browsers, potentially leading to unauthorized actions. This means users may see unexpected or malicious content in comments. To protect your users, update NocoDB to the latest version if one is available, and consider limiting access to the Commenter role.

What to do

Update pranavxc nocodb to version 0.301.3.

Affected software

Vendor	Product	Affected versions	Fix available
pranavxc	nocodb	<= 0.301.2	0.301.3
nocodb	nocodb	<= 0.301.3	–

Original title

NocoDB Vulnerable to Stored Cross-site Scripting via Comments

Original description

### Summary
Comments rendered via `v-html` without sanitization, enabling stored XSS.

### Details
Comments in `Comments.vue` were parsed by markdown-it with `html: true` and injected via `v-html` without DOMPurify. A user with Commenter role can inject arbitrary HTML that executes for all viewers.

### Impact
Stored XSS — malicious scripts execute for any user viewing the comment.

### Credit
This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members [@p-](https://github.com/p-) (Peter Stockli) and [@m-y-mo](https://github.com/m-y-mo) (Man Yue Mo).

nvd CVSS3.1 5.4

nvd CVSS4.0 5.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://nvd.nist.gov/vuln/detail/CVE-2026-28397
https://github.com/advisories/GHSA-rcph-x7mj-54mm
https://github.com/nocodb/nocodb/releases/tag/0.301.3 Product Release Notes
https://github.com/nocodb/nocodb/security/advisories/GHSA-rcph-x7mj-54mm Vendor Advisory

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026