CVE-2026-28398 Overview
CVE-2026-28398 is a stored Cross-Site Scripting (XSS) vulnerability affecting NocoDB, an open-source platform for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling attackers to inject and execute malicious JavaScript code in the context of other users' browser sessions.
Critical Impact
Attackers can inject persistent malicious scripts through comments or rich text cells that execute when other users view the affected content, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of authenticated users.
Affected Products
- NocoDB versions prior to 0.301.3
- NocoDB installations with user-accessible comments or rich text fields
- Self-hosted and cloud-based NocoDB deployments using vulnerable versions
Discovery Timeline
- 2026-03-02 - CVE CVE-2026-28398 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-28398
Vulnerability Analysis
This stored XSS vulnerability stems from improper handling of user input in NocoDB's Vue.js frontend components. The application uses Vue's v-html directive to render user-supplied content in comments and rich text cells without first sanitizing the input. The v-html directive directly injects raw HTML into the DOM, which is explicitly documented by Vue.js as dangerous when used with untrusted content.
When a malicious user submits JavaScript code embedded within HTML tags to a comment or rich text field, this code is stored in the database. Subsequently, when any other user views the affected record, the malicious script executes within their browser context with full access to their session credentials and the ability to perform actions on their behalf.
Root Cause
The root cause is the use of Vue.js's v-html directive for rendering user-controlled content without implementing proper input sanitization or output encoding. The v-html directive bypasses Vue's built-in XSS protections that are present when using standard template interpolation ({{ }}), making the application vulnerable to script injection when processing untrusted data.
Attack Vector
This vulnerability is exploitable over the network by any user with permissions to create or edit comments and rich text cells within a NocoDB workspace. The attack follows a stored XSS pattern where the malicious payload persists in the database, affecting all users who subsequently view the compromised content.
An attacker would craft a malicious payload containing JavaScript code within HTML tags (such as <script>, <img onerror>, or <svg onload> elements) and submit it through the comments feature or a rich text cell. Once stored, the payload executes automatically when other users access the page containing the malicious content. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-28398
Indicators of Compromise
- Unusual HTML tags or JavaScript code fragments stored in comment fields or rich text cells
- Database records containing <script>, <iframe>, <svg>, or event handler attributes like onerror, onload, onclick
- User reports of unexpected browser behavior when viewing specific NocoDB records
- Abnormal outbound requests from user browsers to external domains after viewing NocoDB content
Detection Strategies
- Review database content for stored HTML/JavaScript payloads in user-editable fields
- Monitor web application firewall (WAF) logs for XSS payload patterns in POST requests to comment or cell update endpoints
- Implement Content Security Policy (CSP) headers with reporting to detect inline script execution attempts
- Audit NocoDB access logs for suspicious patterns of content creation followed by views from multiple users
Monitoring Recommendations
- Enable browser-based XSS detection and CSP violation reporting
- Monitor for abnormal session activity that may indicate compromised user accounts
- Implement real-time alerting on database writes containing suspicious HTML patterns
- Review audit logs for bulk access to records containing recently modified comments or rich text content
How to Mitigate CVE-2026-28398
Immediate Actions Required
- Upgrade NocoDB to version 0.301.3 or later immediately
- Audit existing database content for potentially malicious payloads in comments and rich text fields
- Review user activity logs for any evidence of exploitation attempts
- Consider temporarily restricting comment and rich text editing permissions until patching is complete
Patch Information
NocoDB has addressed this vulnerability in version 0.301.3. The fix implements proper HTML sanitization for user-controlled content before rendering via v-html. Organizations should upgrade to this version or later as soon as possible. The release is available from the NocoDB GitHub Releases page.
Workarounds
- Deploy a Web Application Firewall (WAF) with XSS filtering rules to block malicious payloads in requests
- Implement strict Content Security Policy headers to prevent inline script execution
- Restrict comment and rich text editing permissions to trusted users only until the patch can be applied
- Consider database-level content filtering or monitoring as a temporary defensive measure
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
