NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

GHSA-qxwq-q265-hc44 · CVE-2026-28359

Published Mar 2, 2026 · Modified Mar 4, 2026

Description

Summary

An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.

Details

The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content is rendered via v-html in TextArea.vue through NcMarkdownParser.parse() which performs no sanitization.

Impact

Stored XSS — malicious scripts execute for any user viewing the cell.

Credit

This issue was reported by @Akokonunes.

References

WEB https://github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc44
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-28359
PACKAGE https://github.com/nocodb/nocodb
WEB https://github.com/nocodb/nocodb/releases/tag/0.301.3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes