MEDIUM

GHSA-8vm4-g489-v3w7

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

Details

### Summary User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS.

### Details Comments in `Comments.vue` and rich text in `TextArea.vue` were parsed by markdown-it with `html: true` and injected via `v-html`. The codebase had `vue-dompurify-html` available but these paths used raw `v-html`. Server-side, `Comment.insert()` used `extractProps()` instead of `extractPropsAndSanitize()`.

Commenter role is sufficient for the comments vector; Editor role for rich text.

This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.

### Impact Stored XSS — malicious scripts execute for any user viewing the comment or cell.

### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nocodb

Introduced in: 0 Fixed in: 0.301.3

Fix npm install nocodb@0.301.3

References

https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-28398 [ADVISORY]
https://github.com/nocodb/nocodb [PACKAGE]
https://github.com/nocodb/nocodb/releases/tag/0.301.3 [WEB]