CVE-2026-28357

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-28357
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28357.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28357
Aliases
Published
2026-03-02T16:16:06.406Z
Modified
2026-04-10T05:41:04.354777Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
NocoDB: Stored Cross-Site Scripting via Formula Cell
Details

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28357.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/nocodb/nocodb

Affected ranges

Type
GIT
Repo
https://github.com/nocodb/nocodb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
391834484b11c429e4ff5677538b3b2f16ca510d

Affected versions

0.*
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.100.0
0.100.1
0.100.2
0.101.0
0.101.0-beta.0
0.101.2
0.104.1
0.104.2
0.104.3
0.105.0
0.105.1
0.105.2
0.105.3
0.106.0
0.106.0-beta.0
0.106.0-beta.1
0.106.1
0.107.0
0.107.0-beta.0
0.107.0-beta.1
0.107.1
0.107.2
0.107.3
0.107.4
0.107.5
0.108.0
0.108.0-beta.0
0.108.1
0.109.0
0.109.1
0.109.2
0.109.3
0.109.4
0.109.5
0.109.6
0.109.7
0.11.0
0.11.1
0.11.10
0.11.11
0.11.12
0.11.14
0.11.15
0.11.16
0.11.17
0.11.18
0.11.19
0.11.20
0.11.21
0.11.22
0.11.23
0.11.24
0.11.25
0.11.26
0.11.28
0.11.29
0.11.3
0.11.30
0.11.31
0.11.33
0.11.34
0.11.36
0.11.39
0.11.4
0.11.40
0.11.41
0.11.42
0.11.43
0.11.44
0.11.45
0.11.46
0.11.5
0.11.6
0.11.7
0.11.9
0.111.0
0.111.1
0.111.2
0.111.3
0.111.4
0.200.0
0.202.0
0.202.10
0.202.5
0.202.6
0.202.7
0.202.8
0.202.9
0.203.0
0.203.1
0.203.2
0.204.0
0.204.1
0.204.2
0.204.3
0.204.4
0.204.5
0.204.6
0.204.7
0.204.8
0.204.9
0.205.0
0.205.1
0.207.0
0.207.1
0.207.2
0.207.3
0.250.0
0.250.1
0.250.2
0.251.0
0.251.1
0.251.2
0.251.3
0.252.0
0.253.0
0.255.0
0.255.1
0.255.2
0.256.0
0.257.0
0.257.2
0.258.0
0.258.1
0.258.10
0.258.11
0.258.2
0.258.3
0.260.0
0.260.1
0.260.2
0.260.3
0.260.4
0.260.5
0.260.6
0.260.7
0.261.0
0.262.0
0.262.1
0.262.2
0.262.3
0.262.4
0.262.5
0.263.0
0.263.1
0.263.2
0.263.3
0.263.4
0.263.6
0.263.7
0.263.8
0.264.0
0.264.1
0.264.2
0.264.3
0.264.4
0.264.6
0.264.7
0.264.8
0.264.9
0.265.0
0.265.1
0.300.0
0.301.0
0.301.1
0.301.2
0.4.5
0.4.8
0.4.9
0.80.0
0.81.0
0.81.1
0.82.0
0.83.0
0.83.1
0.83.2
0.83.3
0.83.4
0.83.5
0.83.6
0.83.8
0.84.1
0.84.10
0.84.12
0.84.13
0.84.14
0.84.15
0.84.16
0.84.2
0.84.3
0.84.6
0.84.7
0.84.8
0.84.9
0.9
0.90.0
0.90.1
0.90.10
0.90.11
0.90.3
0.90.4
0.90.7
0.90.8
0.90.9
0.91.0
0.91.1
0.91.10
0.91.6
0.91.7
0.91.8
0.91.9
0.92.0
0.92.1
0.92.2
0.92.3
0.92.4
0.96.0
0.96.4
0.97.0
0.98.1
0.98.2
0.98.3
0.98.4
0.99.0
0.99.1
0.99.2
v0.*
v0.10.0
v0.4.2
v0.4.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28357.json"