Primary

Context

NocoDB Stored Cross-Site Scripting Vulnerability in Rich Text Cells

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in NocoDB versions through 0.301.2. This issue allows an authenticated user with Editor role to inject arbitrary HTML into Rich Text cells. The injection bypasses the TipTap editor's client-side sanitization and is executed via the API. The backend stores the raw HTML without proper server-side sanitization, leading to the execution of malicious scripts for any user viewing the affected cell.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed for users viewing the impacted Rich Text cells.

Remediation

Users can upgrade to NocoDB version 0.301.3 to address this vulnerability.

Added: Mar 2, 2026, 5:22 PM

Updated: Mar 2, 2026, 10:15 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

5.0

remediation

7.7

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

5.0

remediation

7.7

relevance

3.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NocoDB Stored Cross-Site Scripting Vulnerability in Rich Text Cells

Vulnerability

Impact

Remediation

Affected Products

NocoDB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating