GHSA-6mhr-74x2-98v9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6mhr-74x2-98v9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-6mhr-74x2-98v9/GHSA-6mhr-74x2-98v9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6mhr-74x2-98v9
- Aliases
-
- CVE-2026-53929
- Published
- 2026-06-17T14:07:52Z
- Modified
- 2026-06-17T14:15:09.325467227Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- NocoDB: Stored Cross-Site Scripting via Secure Attachment
- Details
-
Summary
With
NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver.htmlor.svgattachments that the browser rendered inline from the NocoDB origin instead of forcing a download.Details
The signed attachment handler stored response-header overrides under PascalCase keys (
ResponseContentDisposition,ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped theContent-Disposition: attachmentheader, leaving Express to auto-render.html,.svg, and similar inline. The fix corrects the key case and additionally forcesContent-Disposition: attachmentandContent-Type: application/octet-streamfor any MIME type not on the preview allowlist.Impact
Stored Cross-Site Scripting in the NocoDB origin from inline-rendered uploads. Script executing in the victim's browser can read the auth JWT from
localStorage. Exploitation requires authenticated upload permission and the secure-attachment mode to be enabled.Credit
This issue was reported by @bugbunny-research. It was independently reported by @DavidCarliez.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2026-06-17T14:07:52Z", "severity": "MODERATE" }- References
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb