CVE-2026-28401: Stored Cross-Site Scripting (XSS) in NocoDB Rich Text Components
Vulnerability ID: CVE-2026-28401
CVSS Score: 5.4
Published: 2026-03-03
NocoDB, an open-source airtable alternative, contains a stored Cross-Site Scripting (XSS) vulnerability in versions prior to 0.301.3. The vulnerability exists within the rendering logic for Rich Text cells, where user-supplied Markdown is converted to HTML and rendered without sufficient sanitization. Authenticated attackers with Editor permissions can inject malicious JavaScript payloads into database cells. These payloads execute in the context of other users' sessions—including Administrators—when the affected cell is viewed in the grid, form, or expanded view interfaces.
TL;DR
NocoDB versions before 0.301.3 allow authenticated Editors to inject malicious scripts into Rich Text cells. The issue stems from unsafe Markdown rendering configurations permitting raw HTML. Attackers can hijack sessions of any user viewing the compromised data.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-28401
- CWE ID: CWE-79
- CVSS v3.1: 5.4 (Medium)
- Attack Vector: Network
- Privileges Required: Low (Editor)
- User Interaction: Required (Passive)
- Exploit Status: PoC Available
Affected Systems
- NocoDB < 0.301.3
-
NocoDB: < 0.301.3 (Fixed in:
0.301.3)
Exploit Details
- GHSA: Advisory containing technical details and attack vectors
Mitigation Strategies
- Input Sanitization
- Output Encoding
- Content Security Policy (CSP)
- Least Privilege
Remediation Steps:
- Upgrade NocoDB to version 0.301.3 or later immediately.
- If immediate upgrade is not possible, implement a Content Security Policy (CSP) that restricts script sources (
script-src) and forbidsunsafe-inline. - Audit existing database content for suspicious HTML tags (e.g.,
<script>,<iframe>,on*event handlers) in Rich Text columns.
References
Read the full report for CVE-2026-28401 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)