Public March 2026
NocoDB Stored XSS in Comments and Rich Text Cells
BugBunny.ai found multiple stored XSS paths in NocoDB where user-controlled comments and rich text cell content were rendered via raw v-html. Any user viewing the poisoned record or comment could execute attacker-supplied JavaScript in their browser context.
TL;DR
Stored JavaScript execution against users who view affected comments or rich text cells.
Unsanitized comment and rich-text content rendered with markdown-it and raw v-html.
NocoDB releases up to and including 0.301.2.
Published and fixed in NocoDB 0.301.3.
Root Cause
Comments.vue and TextArea.vue accepted attacker-controlled HTML through markdown-it with html: true enabled, then injected that content back into the DOM using raw v-html.
The project already had vue-dompurify-html available, which shows the maintainers understood the need for sanitization. These specific rendering paths bypassed the safer abstraction, leaving both comment and cell content vulnerable to stored XSS.
Product
NocoDB
Affected
<= 0.301.2
Patched
0.301.3
Weaknesses
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Mitigation
- Upgrade to NocoDB 0.301.3 or later.
- Sanitize comment and rich-text HTML before rendering, or disable raw HTML entirely.
- Audit adjacent rendering paths that still use v-html directly instead of the project’s sanitized helper.
Credits & Disclosure
Published via GitHub Security Advisory GHSA-8vm4-g489-v3w7 after coordinated disclosure with the NocoDB maintainers.