GHSA-wwp2-x4rj-j8rm

Suggest an improvement
Source
https://github.com/advisories/GHSA-wwp2-x4rj-j8rm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wwp2-x4rj-j8rm/GHSA-wwp2-x4rj-j8rm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wwp2-x4rj-j8rm
Aliases
Published
2026-03-03T20:59:50Z
Modified
2026-03-04T15:06:30.720061Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells
Details

Summary

Rich text cell content rendered via v-html without sanitization, enabling stored XSS.

Details

Rich text in TextArea.vue was parsed by markdown-it with html: true and injected via v-html without DOMPurify. A user with Editor role can inject arbitrary HTML that executes for all viewers.

Impact

Stored XSS — malicious scripts execute for any user viewing the cell.

Credit

This issue was discovered by an AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @p- (Peter Stockli) and @m-y-mo (Man Yue Mo).

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T20:59:50Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-02T17:16:35Z"
}
References

Affected packages

npm / nocodb

Package

Name
nocodb
View open source insights on deps.dev
Purl
pkg:npm/nocodb

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.301.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wwp2-x4rj-j8rm/GHSA-wwp2-x4rj-j8rm.json"
last_known_affected_version_range 
"<= 0.301.2"