CVE-2026-28397 Overview
CVE-2026-28397 is a stored Cross-Site Scripting (XSS) vulnerability affecting NocoDB, an open-source platform for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via Vue's v-html directive without proper sanitization enable attackers to inject and execute arbitrary JavaScript code in the context of other users' browser sessions.
Critical Impact
Authenticated attackers can inject malicious scripts through comment fields, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of other NocoDB users.
Affected Products
- NocoDB versions prior to 0.301.3
- Self-hosted NocoDB deployments
- NocoDB instances with user comment functionality enabled
Discovery Timeline
- 2026-03-02 - CVE CVE-2026-28397 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28397
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) stems from the use of Vue.js's v-html directive to render user-submitted comment content without proper sanitization. The v-html directive outputs raw HTML directly into the DOM, making it inherently dangerous when processing untrusted input. When users create or edit comments containing malicious HTML or JavaScript, the application stores and subsequently renders this content in other users' browsers without escaping or filtering.
The network-based attack vector allows remote exploitation, though user interaction is required as victims must view a page containing the malicious comment. The vulnerability affects the confidentiality and integrity of user sessions within the NocoDB application context.
Root Cause
The root cause is the direct binding of user-controlled comment data to the v-html directive in Vue.js components without implementing input sanitization or output encoding. This architectural decision bypasses Vue's built-in XSS protections that would normally apply when using text interpolation ({{ }}). The lack of a Content Security Policy (CSP) or HTML sanitization library (such as DOMPurify) compounds the issue by allowing injected scripts to execute freely.
Attack Vector
An attacker with authenticated access to a NocoDB workspace can exploit this vulnerability by submitting a comment containing malicious HTML or JavaScript payloads. When other users navigate to views displaying these comments, the malicious script executes in their browser context. This can be leveraged for session token theft, phishing attacks, keylogging, or performing actions as the victim user within the application.
The attack requires no special privileges beyond the ability to create comments, making it accessible to any authenticated user within a shared workspace. The stored nature of this XSS means the payload persists and affects all users who view the compromised content.
Detection Methods for CVE-2026-28397
Indicators of Compromise
- Unusual HTML tags or JavaScript code present in comment fields within the NocoDB database
- Browser developer console errors related to blocked script execution if CSP is partially implemented
- User reports of unexpected behavior or redirects when viewing comments
- Database entries containing <script>, onerror=, onload=, or similar XSS payload patterns in comment tables
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block common XSS payload patterns in HTTP requests
- Deploy browser-based XSS detection mechanisms that monitor for suspicious DOM modifications
- Enable detailed application logging for comment creation and modification events
- Use SentinelOne Singularity XDR to detect anomalous JavaScript execution patterns and potential data exfiltration attempts
Monitoring Recommendations
- Review stored comments periodically for suspicious content patterns
- Monitor network traffic for unusual outbound requests originating from client browsers during NocoDB sessions
- Implement alerting for high-frequency comment creation or modification activities that may indicate automated exploitation attempts
How to Mitigate CVE-2026-28397
Immediate Actions Required
- Upgrade NocoDB to version 0.301.3 or later immediately
- Audit existing comments in the database for potentially malicious content
- Implement a strict Content Security Policy (CSP) header to mitigate impact of any existing XSS payloads
- Consider temporarily disabling comment functionality if immediate patching is not possible
Patch Information
NocoDB has addressed this vulnerability in version 0.301.3. The patch implements proper HTML sanitization for comment content before rendering. Organizations should update their NocoDB installations by pulling the latest release from the official repository. For detailed patch information, refer to the GitHub Release Notes for version 0.301.3 and the GitHub Security Advisory GHSA-rcph-x7mj-54mm.
Workarounds
- Deploy a reverse proxy with WAF capabilities to filter XSS payloads in incoming requests
- Restrict comment creation permissions to trusted users only until patching is complete
- Implement browser-side XSS protection headers (X-XSS-Protection, though deprecated) as a defense-in-depth measure
- Add a Content Security Policy header with script-src 'self' to prevent inline script execution
# Example nginx configuration for CSP header
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
