Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.3

NocoDB: Injecting malicious scripts in Formula cells

CVE-2026-28357 GHSA-vx5p-q85x-xm3c
Summary

NocoDB users with creator access can create malicious formula cells that inject scripts, potentially allowing attackers to steal user credentials. This is possible because NocoDB doesn't properly sanitize user-inputted formulas. To protect your data, use NocoDB's built-in creator role restrictions and regularly review user permissions and formula cell contents.

What to do
  • Update pranavxc nocodb to version 0.301.3.
Affected software
VendorProductAffected versionsFix available
pranavxc nocodb <= 0.301.2 0.301.3
nocodb nocodb <= 0.301.3 –
Original title
NocoDB has Stored Cross-site Scripting via Formula Cell
Original description
### Summary
A stored XSS vulnerability exists in the Formula virtual cell. Formula results containing `URI::()` patterns are rendered via `v-html` without sanitization, allowing injected HTML to execute.

### Details
The `replaceUrlsWithLink()` function in `urlUtils.ts` converts `URI::(url)` patterns to `<a>` tags but passes all other HTML through unchanged. A user with Creator role (minimum role for formula field creation) can craft a formula like `CONCAT("URI::(https://example.com)", "<img src=x onerror=...>")` to inject arbitrary scripts rendered for all viewers.

### Impact
Credential theft via script execution in the context of users viewing the table.

### Credit
This issue was reported by [@Akokonunes](https://github.com/Akokonunes).
nvd CVSS3.1 5.4
nvd CVSS4.0 5.3
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026