CVE-2026-28357: NocoDB Stored XSS Vulnerability

CVE-2026-28357 Overview

A stored Cross-Site Scripting (XSS) vulnerability has been identified in NocoDB, the open-source software for building databases as spreadsheets. Prior to version 0.301.3, a security flaw exists in the Formula virtual cell component where formula results containing URI::() patterns are rendered via v-html without proper sanitization. This allows attackers to inject malicious HTML that executes in the context of other users' browsers, potentially leading to session hijacking, data theft, or unauthorized actions within the application.

Critical Impact

Attackers can inject and execute arbitrary JavaScript code through malicious formula inputs, compromising user sessions and potentially accessing sensitive database information stored in NocoDB instances.

Affected Products

• NocoDB versions prior to 0.301.3
• NocoDB Formula virtual cell component
• Self-hosted and cloud NocoDB deployments using vulnerable versions

Discovery Timeline

• 2026-03-02 - CVE CVE-2026-28357 published to NVD
• 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-28357

Vulnerability Analysis

This stored XSS vulnerability (CWE-79) resides in NocoDB's Formula virtual cell rendering mechanism. The application fails to properly sanitize formula output when the result contains URI::() patterns. When these formula results are rendered in the user interface, the application uses Vue.js's v-html directive which directly interprets the content as HTML rather than treating it as plain text.

The stored nature of this vulnerability makes it particularly dangerous in collaborative environments. Once a malicious payload is saved within a formula cell, it will execute every time another user views that cell, creating a persistent attack vector that can target multiple users without requiring further attacker interaction.

Root Cause

The root cause of this vulnerability is improper output encoding in the Formula virtual cell component. When formula results are displayed to users, the application renders content containing URI::() patterns using the v-html directive without first sanitizing the HTML content. This allows specially crafted formula inputs to include malicious script tags or event handlers that execute in users' browsers.

The lack of input validation on formula content combined with unsafe rendering practices creates a classic stored XSS condition where user-supplied data is persisted and later displayed to other users without adequate security controls.

Attack Vector

The attack is network-based and requires user interaction. An attacker with the ability to create or modify formula cells in a NocoDB database can craft a malicious formula that includes JavaScript code embedded within URI::() patterns. When other users view the affected cell:

1. The formula is evaluated and the result stored in the database
2. The malicious content persists in the application
3. When rendered to other users, the v-html directive interprets the payload as HTML
4. The injected JavaScript executes in the victim's browser context

This allows the attacker to steal session cookies, capture keystrokes, redirect users to phishing sites, or perform actions on behalf of the victim within NocoDB.

Detection Methods for CVE-2026-28357

Indicators of Compromise

• Unusual or obfuscated content within NocoDB formula cells, particularly containing URI::() patterns
• Formula cells containing <script> tags, event handlers (onclick, onerror, etc.), or encoded JavaScript
• Unexpected network requests originating from NocoDB to external domains
• User reports of unusual behavior or unexpected redirects when viewing specific cells

Detection Strategies

• Review NocoDB application logs for formula cells containing HTML tags or JavaScript patterns
• Implement Web Application Firewall (WAF) rules to detect XSS payloads in form submissions to NocoDB
• Monitor for formula content containing suspicious patterns like javascript:, data:, or event handlers
• Audit existing formula cells in databases for potential malicious content

Monitoring Recommendations

• Enable detailed logging for NocoDB application activities and formula evaluations
• Set up alerts for formula cells containing HTML entities or script-related content
• Monitor client-side JavaScript errors that may indicate XSS payload execution attempts
• Track and investigate any unusual data exfiltration patterns from NocoDB instances

How to Mitigate CVE-2026-28357

Immediate Actions Required

• Upgrade NocoDB to version 0.301.3 or later immediately
• Review existing formula cells in all databases for potentially malicious content
• Audit user access and remove unnecessary write permissions until patching is complete
• Implement Content Security Policy (CSP) headers to limit the impact of any XSS exploitation

Patch Information

NocoDB has addressed this vulnerability in version 0.301.3. The patch implements proper sanitization for formula results before rendering via v-html, preventing injected HTML from executing. Administrators should update their NocoDB installations to the patched version as soon as possible.

For detailed information about the fix, refer to the NocoDB Release Notes and the GitHub Security Advisory.

Workarounds

• Restrict formula creation and modification permissions to trusted users only until the patch can be applied
• Implement strict Content Security Policy headers to prevent inline script execution
• Deploy a Web Application Firewall with XSS detection capabilities in front of NocoDB instances
• Regularly audit formula cell content for suspicious patterns or encoded payloads

# Example: Implementing Content Security Policy headers in nginx
# Add to your NocoDB nginx configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none';" always;