No-Code, Yes-Exploit: Weaponizing SVGs in NocoDB
Vulnerability ID: CVE-2026-24769
CVSS Score: 8.5
Published: 2026-01-28
A critical Stored Cross-Site Scripting (XSS) vulnerability in NocoDB allows authenticated attackers to upload malicious SVG attachments. Due to lax MIME type checking and unsafe content disposition handling, these files execute arbitrary JavaScript in the victim's browser upon preview, leading to potential account takeover.
TL;DR
NocoDB treated all 'images' as safe to preview, forgetting that SVGs are basically executable XML. Attackers can upload a weaponized SVG, wait for an admin to preview it, and steal their session tokens.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-24769
- CVSS Score: 8.5 (High)
- Attack Vector: Network (Stored XSS)
- CWE: CWE-79 (XSS)
- Discovery: GitHub Security Lab AI
- Exploit Status: PoC Available
Affected Systems
- NocoDB < 0.301.0
-
NocoDB: < 0.301.0 (Fixed in:
0.301.0)
Mitigation Strategies
- Upgrade to NocoDB v0.301.0 or later immediately.
- Configure a strict Content Security Policy (CSP) to block inline scripts.
- Restrict file uploads to specific safe extensions at the reverse proxy level.
Remediation Steps:
- Pull the latest docker image:
docker pull nocodb/nocodb:latest - Verify the version is >= 0.301.0 in the dashboard settings.
- Audit existing SVG attachments in the database for malicious scripts.
- Force a password reset for all administrative users if exploitation is suspected.
References
Read the full report for CVE-2026-24769 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)