CVE-2026-28397 in NocoDB
Summary
by MITRE • 03/02/2026
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/04/2026
The vulnerability identified as CVE-2026-28397 affects NocoDB, a database management platform that allows users to create spreadsheet-like interfaces for data organization and collaboration. This software serves as a bridge between traditional database systems and user-friendly spreadsheet applications, making it particularly valuable for business users who require database functionality without deep technical expertise. The vulnerability resides within the comment rendering system that processes user-generated content through v-html directive, a feature commonly used in Vue.js applications for dynamic content insertion. This flaw represents a critical security oversight that directly impacts the platform's ability to safely handle user input and maintain data integrity across collaborative environments.
The technical flaw stems from the improper handling of user comments within the NocoDB application's frontend component. When users create comments within the system, these inputs are processed through the v-html directive without appropriate sanitization measures. This approach directly violates fundamental security principles for handling untrusted input, as v-html bypasses the normal DOM sanitization processes that would normally prevent malicious scripts from executing. The vulnerability creates a stored cross-site scripting condition where malicious actors can inject persistent JavaScript payloads into comment fields that will execute whenever other users view those comments. This represents a classic CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability, specifically manifesting as a stored XSS attack vector that can persist across user sessions and application restarts.
The operational impact of this vulnerability extends beyond simple data corruption, potentially enabling attackers to perform sophisticated attacks against users within the NocoDB environment. An attacker who successfully exploits this vulnerability could execute arbitrary JavaScript code in the context of other users' browsers, potentially stealing session cookies, accessing sensitive data, performing unauthorized actions on behalf of victims, or redirecting users to malicious websites. The stored nature of this XSS vulnerability means that once a malicious comment is posted, it will affect all users who view that comment, creating a persistent threat vector that can compromise multiple users simultaneously. This vulnerability is particularly dangerous in collaborative environments where multiple users share databases and comment extensively, as a single malicious comment can compromise the entire user base. The attack surface is further expanded by the fact that NocoDB's user interface is designed for collaboration, making it likely that users will frequently interact with comment sections, increasing the likelihood of exploitation.
Mitigation efforts should focus on implementing proper input sanitization and output encoding mechanisms within the NocoDB application. The recommended fix involves upgrading to version 0.301.3 or later, which includes proper sanitization of user comments before rendering them through the v-html directive. Organizations should also implement additional security measures such as Content Security Policy headers to limit the execution of inline scripts, regular security scanning of user-generated content, and user education regarding the dangers of clicking on suspicious links within comments. From a defensive perspective, this vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, where malicious actors could leverage the XSS vulnerability to deliver additional payloads or redirect users to compromised systems. The vulnerability demonstrates the importance of following secure coding practices, particularly when dealing with dynamic content rendering and user input handling, as outlined in OWASP Top Ten categories and the CWE database classification system. Organizations using NocoDB should conduct thorough security assessments of their deployment and monitor for any signs of exploitation attempts or unauthorized access to their database environments.