Coordinated Disclosure Timeline
- 2026-02-09: Vulnerability was reported via GitHub’s private vulnerability reporting feature.
- 2026-03-02: Advisory and fix were released.
Summary
NocoDB version v0.301.2 is vulnerable to a stored cross-site scripting (XSS) attack (GHSL-2026-031), where malicious scripts can be injected into comments.
Project
nocodb
Tested Version
Details
Stored Cross-Site Scripting in Comments (GHSL-2026-031)
A Stored Cross-Site Scripting (XSS) vulnerability exists in NocoDB’s expanded form comments feature. Authenticated attackers can inject malicious HTML/JavaScript into comment fields, which are then rendered without sanitization when other users view the comments. This allows arbitrary JavaScript execution in victims’ browser contexts, potentially leading to session hijacking, data theft, or unauthorized actions.
Comments are rendered using Vue’s v-html sink, which is used to render HTML.
<div class="nc-rich-text-content !text-small !leading-18px !text-nc-content-gray"
v-html="parsedHtmlComments[commentItem.id]">
</div>
parsedHtmlComments generates HTML using NcMarkdownParser.parse() with no additional sanitization.
The NcMarkdownParser uses markdown-it configured with html: true, which allows raw HTML to pass through unchanged.
Impact
This issue may lead to account takeover due to stored Cross-site scripting (XSS).
CWEs
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE
- CVE-2026-28397
Credit
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2026-031 in any communication regarding this issue.