{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28401", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.289Z", "datePublished": "2026-03-02T16:20:00.697Z", "dateUpdated": "2026-03-03T15:53:33.578Z"}, "containers": {"cna": {"title": "NocoDB: Stored Cross-Site Scripting via Rich Text Cells", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm"}, {"name": "https://github.com/nocodb/nocodb/releases/tag/0.301.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"version": "< 0.301.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T16:20:00.697Z"}, "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3."}], "source": {"advisory": "GHSA-wwp2-x4rj-j8rm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T15:51:53.181280Z", "id": "CVE-2026-28401", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:53:33.578Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28401", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T15:51:53.181280Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:53:30.007Z"}}], "cna": {"title": "NocoDB: Stored Cross-Site Scripting via Rich Text Cells", "source": {"advisory": "GHSA-wwp2-x4rj-j8rm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"status": "affected", "version": "< 0.301.3"}]}], "references": [{"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm", "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3", "name": "https://github.com/nocodb/nocodb/releases/tag/0.301.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-02T16:20:00.697Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28401", "state": "PUBLISHED", "dateUpdated": "2026-03-03T15:53:33.578Z", "dateReserved": "2026-02-27T15:33:57.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-02T16:20:00.697Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AE4D8D2-EBCC-4E55-8FC1-3353EAB8B008", "versionEndExcluding": "0.301.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3."}], "id": "CVE-2026-28401", "lastModified": "2026-03-03T19:02:19.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-02T17:16:35.220", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/nocodb/nocodb/releases/tag/0.301.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-wwp2-x4rj-j8rm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.301.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nocodb", "source": "cna", "vendor": "nocodb"}, "product": "nocodb", "vendor": "nocodb"}], "analysis": {"en": {"generated_at": "2026-04-16T14:29:25.030605+00:00", "value": {"mitigation_remediation": ["Upgrade NocoDB to version 0.301.3 or later to apply the vendor fix.", "If an upgrade is not immediately possible, restrict editing rights for the rich\u2011text cell columns to trusted users only, limiting the injection surface area.", "Implement application\u2011level content sanitization for any rich\u2011text input to guard against future unsanitized rendering flaws."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects all NocoDB installations running versions earlier than 0.301.3. The patch that disables unsanitized rendering was introduced in release 0.301.3. Any deployment that has not yet migrated to this or later versions remains vulnerable.", "description_and_impact": "NocoDB\u2019s rich\u2011text cells were rendered using Vue.js\u2019 v\u2011html directive without any input sanitization, allowing an attacker to store malicious scripts that execute in the browser of any user who views the affected cell. The vulnerability can be used to steal authentication tokens, deface content, or perform session hijacking by leveraging a client\u2011side exploit that does not require elevated server privileges. The weakness is a classic input validation fault (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact from the data\u2011broad perspective. The EPSS score is less than 1 percent, suggesting a very low exploitation probability at the time of this analysis. The vulnerability is not listed in CISA\u2019s KEV catalog, further indicating that widespread exploitation has not been observed. Attackers are likely to target users who can edit rich\u2011text cells, making the exploitation vector an interactive attack where the attacker gains editing permissions or convinces a user with those permissions to insert malicious content."}}}}, "created": "2026-03-03T08:42:40.241614+00:00", "updated": "2026-04-16T14:30:16.161832+00:00", "vendors": ["nocodb", "nocodb$PRODUCT$nocodb"]}