What is the CVSS score of CVE-2026-24769?

CVE-2026-24769 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Nocodb are affected by CVE-2026-24769?

NocoDB instances running versions prior to 0.301.0 are vulnerable to stored cross-site scripting attacks through the attachment handling mechanism, allowing attackers to inject malicious code that…. A patch is available.

Is there a public PoC exploit available for CVE-2026-24769?

Yes, a public proof-of-concept exploit is available for CVE-2026-24769. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-24769?

Within 24 hours: Identify all NocoDB deployments and document current versions; restrict attachment upload functionality if operationally feasible; notify all NocoDB users of the vulnerability. Within 7 days: Implement WAF rules to sanitize attachment uploads and block suspicious XSS payloads; segment NocoDB instances from critical systems and sensitive data repositories; monitor access logs for exploitation attempts. Within 30 days: Upgrade to NocoDB version 0.301.0 or later as soon as it becomes available; conduct security review of all attachments uploaded since deployment began; audit user activity logs for potential compromise indicators.

Nocodb CVE-2026-24769

CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-01-28 security-advisories@github.com

GHSA-q5c6-h22r-qpwr

XSS Nocodb

9.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.0 CRITICAL

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 04, 2026 - 20:01 vuln.today

Public exploit code

CVE Published

Jan 28, 2026 - 21:16 nvd

CRITICAL 9.0

DescriptionGitHub Advisory

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue.

AnalysisAI

NocoDB spreadsheet platform prior to 0.301.0 has a stored XSS vulnerability (CVSS 9.0) that enables code execution through malicious cell content in shared views.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to NocoDB

Delivery

Upload malicious SVG with embedded JavaScript

Exploit

Victim views attachment

Execution

JavaScript executes in victim's browser context

Impact

Account compromise and data exfiltration

Access

Authenticate to NocoDB

Delivery

Upload malicious SVG with embedded JavaScript

Exploit

Victim views attachment

Execution

JavaScript executes in victim's browser context

Impact

Account compromise and data exfiltration

Vulnerability AssessmentAI

Exploitation	Authenticated user account required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.0 with PoC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker inserts XSS payload into a NocoDB cell, then shares the view. Every user who opens the shared view has the malicious script execute in their browser, stealing their session tokens.
Remediation	Update NocoDB to 0.301.0+. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all NocoDB deployments and document current versions; restrict attachment upload functionality if operationally feasible; notify all NocoDB users of the vulnerability. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24769 vulnerability details – vuln.today

Back

Nocodb CVE-2026-24769

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code