GHSA-qxwq-q265-hc44
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qxwq-q265-hc44
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qxwq-q265-hc44/GHSA-qxwq-q265-hc44.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qxwq-q265-hc44
- Aliases
- Published
- 2026-03-02T19:51:55Z
- Modified
- 2026-03-04T15:16:17.263130Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field
- Details
-
Summary
An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.
Details
The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content is rendered via
v-htmlinTextArea.vuethroughNcMarkdownParser.parse()which performs no sanitization.Impact
Stored XSS — malicious scripts execute for any user viewing the cell.
Credit
This issue was reported by @Akokonunes.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-02T19:51:55Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "nvd_published_at": "2026-03-02T17:16:34Z" }- References
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb