NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

GHSA-8vm4-g489-v3w7 · CVE-2026-28398

Published Mar 3, 2026 · Modified Mar 4, 2026

Description

Summary

User-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS.

Details

Comments in Comments.vue and rich text in TextArea.vue were parsed by markdown-it with html: true and injected via v-html. The codebase had vue-dompurify-html available but these paths used raw v-html. Server-side, Comment.insert() used extractProps() instead of extractPropsAndSanitize().

Commenter role is sufficient for the comments vector; Editor role for rich text.

This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.

Impact

Stored XSS — malicious scripts execute for any user viewing the comment or cell.

Credit

This issue was reported by @bugbunny-research (bugbunny.ai).

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes