GHSA-jf3g-4gwg-4h66
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jf3g-4gwg-4h66
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jf3g-4gwg-4h66/GHSA-jf3g-4gwg-4h66.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jf3g-4gwg-4h66
- Aliases
-
- CVE-2026-47383
- Published
- 2026-06-05T16:19:22Z
- Modified
- 2026-06-05T16:30:07.738787426Z
- Severity
-
- 7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- NocoDB: Stored Cross-Site Scripting via Row Comments
- Details
-
Summary
An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view.
Details
The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its
data-tooltipattribute to Tippy withallowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover.Impact
Stored Cross-Site Scripting against any user who views the affected row. Script runs in the NocoDB origin with the victim's session and can read the auth JWT from
localStorage. Authentication and comment permission are required.Credit
This issue was reported by @DavidCarliez. It was independently reported by @Mouhebbenelwafi.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "severity": "HIGH", "github_reviewed_at": "2026-06-05T16:19:22Z" }- References
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb