Skip to main content

NocoDB CVE-2026-47383

| EUVDEUVD-2026-38617 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 https://github.com/nocodb/nocodb GHSA-jf3g-4gwg-4h66
7.4
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.7 HIGH

Network-reachable stored XSS needing a low-priv authenticated commenter (PR:L) and victim hover (UI:R); script runs in victim's browser context (S:C) and steals JWT (C:H/I:H, A:N).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/nocodb/nocodb).

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 23, 2026 - 21:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 21:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 23, 2026 - 21:22 NVD
7.4 (HIGH)
Source Code Evidence Fetched
Jun 05, 2026 - 16:50 vuln.today
Analysis Generated
Jun 05, 2026 - 16:50 vuln.today

DescriptionCVE.org

Summary

An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view.

Details

The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover.

Impact

Stored Cross-Site Scripting against any user who views the affected row. Script runs in the NocoDB origin with the victim's session and can read the auth JWT from localStorage. Authentication and comment permission are required.

Credit

This issue was reported by @DavidCarliez. It was independently reported by @Mouhebbenelwafi.

AnalysisAI

Stored Cross-Site Scripting in NocoDB <= 2026.05.0 allows authenticated commenters to inject HTML payloads into row comments that execute as JavaScript when other users hover over the comment in the expanded form view. Successful exploitation runs script in the NocoDB origin under the victim's session, enabling theft of the auth JWT from localStorage. No public exploit identified at time of analysis; EPSS is low (0.11%, 29th percentile) and the issue is not listed in CISA KEV.

Technical ContextAI

NocoDB is an open-source no-code database platform (npm package nocodb) that exposes a spreadsheet-style UI over relational databases. The flaw is a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) caused by storing raw comment bodies without server-side sanitization and then rendering the body into a Tippy.js tooltip via the data-tooltip attribute with allowHTML: true. Even though the rich-text editor stripped <script> tags on write, attribute-level payloads (for example, event-handler attributes on otherwise innocuous tags) were re-parsed as live HTML by Tippy on hover, bypassing the client-side filter.

RemediationAI

Upgrade NocoDB to version 2026.05.1 or later, which adds server-side sanitization on the comment write paths and removes unsafe HTML rendering from the expanded-form tooltip, per the vendor advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-jf3g-4gwg-4h66 and release notes at https://github.com/nocodb/nocodb/releases/tag/2026.05.1. If immediate patching is not possible, restrict comment-creation permission to a minimal set of fully trusted users in each base/workspace (trade-off: blocks collaboration workflows that depend on comments), and consider deploying a strict Content-Security-Policy that disallows inline event handlers on the NocoDB origin (trade-off: may break legitimate UI features and requires testing). Rotating JWT signing keys and forcing re-login after upgrade is prudent if you suspect any account with comment access may have been abused.

Share

CVE-2026-47383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy