MEDIUM

GHSA-8vm4-g489-v3w7

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

상세

### Summary User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS.

### Details Comments in `Comments.vue` and rich text in `TextArea.vue` were parsed by markdown-it with `html: true` and injected via `v-html`. The codebase had `vue-dompurify-html` available but these paths used raw `v-html`. Server-side, `Comment.insert()` used `extractProps()` instead of `extractPropsAndSanitize()`.

Commenter role is sufficient for the comments vector; Editor role for rich text.

This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.

### Impact Stored XSS — malicious scripts execute for any user viewing the comment or cell.

### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / nocodb

최초 영향 버전: 0 수정 버전: 0.301.3

수정 npm install nocodb@0.301.3

참고

https://github.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-28398 [ADVISORY]
https://github.com/nocodb/nocodb [PACKAGE]
https://github.com/nocodb/nocodb/releases/tag/0.301.3 [WEB]