{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28398", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.288Z", "datePublished": "2026-03-02T16:19:23.356Z", "dateUpdated": "2026-03-03T15:55:30.946Z"}, "containers": {"cna": {"title": "NocoDB: Stored Cross-Site Scripting via Comments and Rich Text Cells", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7"}, {"name": "https://github.com/nocodb/nocodb/releases/tag/0.301.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"version": "< 0.301.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T16:19:23.356Z"}, "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3."}], "source": {"advisory": "GHSA-8vm4-g489-v3w7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:55:22.343411Z", "id": "CVE-2026-28398", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:55:30.946Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T15:55:22.343411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:55:26.527Z"}}], "cna": {"title": "NocoDB: Stored Cross-Site Scripting via Comments and Rich Text Cells", "source": {"advisory": "GHSA-8vm4-g489-v3w7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"status": "affected", "version": "< 0.301.3"}]}], "references": [{"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7", "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3", "name": "https://github.com/nocodb/nocodb/releases/tag/0.301.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T16:19:23.356Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28398", "state": "PUBLISHED", "dateUpdated": "2026-03-03T15:55:30.946Z", "dateReserved": "2026-02-27T15:33:57.288Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-02T16:19:23.356Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AE4D8D2-EBCC-4E55-8FC1-3353EAB8B008", "versionEndExcluding": "0.301.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3."}], "id": "CVE-2026-28398", "lastModified": "2026-03-03T19:01:49.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-02T17:16:34.923", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.301.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nocodb", "source": "cna", "vendor": "nocodb"}, "product": "nocodb", "vendor": "nocodb"}], "analysis": {"en": {"generated_at": "2026-04-16T14:29:43.797286+00:00", "value": {"mitigation_remediation": ["Upgrade NocoDB to version 0.301.3 or later, which includes the input sanitization fix for comments and rich text cells.", "If an upgrade is not immediately possible, restrict write access to the comment and rich text fields or implement server\u2011side sanitization to neutralize script tags before storage.", "Implement web\u2011application security controls such as Content Security Policy and X\u2011SSEnforcement headers to mitigate the impact of any remaining XSS payloads.", "Monitor user activity logs for unexpected script insertions and review rendered content for signs of exploitation."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the NocoDB platform from any version before 0.301.3. The affected product is identified as \"NocoDB\"; all earlier releases are vulnerable once a user can add or edit comments or rich text cells. The issue was addressed in release 0.301.3, so any instance running 0.301.3 or later is no longer susceptible.", "description_and_impact": "NocoDB previously allowed user\u2011controlled comments and rich text cells to be rendered with Vue's v-html directive without sanitization. An attacker who can create or modify content in these fields can embed JavaScript that will execute in the browsers of any user who views the affected record, enabling session hijacking, data exfiltration, or UI defacement. The flaw is a typical stored XSS vulnerability as identified by CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, which further implies that no known large\u2011scale attacks are currently associated with it. Attackers would need access to the NocoDB UI to inject malicious content, making the attack vector local or requiring compromised user credentials. Overall, the risk is moderate, but the exploitation likelihood remains low under normal circumstances."}}}}, "created": "2026-03-03T08:42:43.039511+00:00", "updated": "2026-04-16T14:30:16.162381+00:00", "vendors": ["nocodb", "nocodb$PRODUCT$nocodb"]}