NocoDB has Stored Cross-site Scripting via Formula Cell

GHSA-vx5p-q85x-xm3c · CVE-2026-28357

Published Mar 2, 2026 · Modified Mar 4, 2026

Description

Summary

A stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute.

Details

The replaceUrlsWithLink() function in urlUtils.ts converts URI::(url) patterns to <a> tags but passes all other HTML through unchanged. A user with Creator role (minimum role for formula field creation) can craft a formula like CONCAT("URI::(https://example.com)", "<img src=x onerror=...>") to inject arbitrary scripts rendered for all viewers.

Impact

Credential theft via script execution in the context of users viewing the table.

Credit

This issue was reported by @Akokonunes.

References

WEB https://github.com/nocodb/nocodb/security/advisories/GHSA-vx5p-q85x-xm3c
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-28357
PACKAGE https://github.com/nocodb/nocodb
WEB https://github.com/nocodb/nocodb/releases/tag/0.301.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes