CVE-2026-28398

Description

### Summary User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS. ### Details Comments in `Comments.vue` and rich text in `TextArea.vue` were parsed by markdown-it with `html: true` and injected via `v-html`. The codebase had `vue-dompurify-html` available but these paths used raw `v-html`. Server-side, `Comment.insert()` used `extractProps()` instead of `extractPropsAndSanitize()`. Commenter role is sufficient for the comments vector; Editor role for rich text. This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab. ### Impact Stored XSS — malicious scripts execute for any user viewing the comment or cell. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).

How to fix CVE-2026-28398

To remediate CVE-2026-28398, upgrade the affected package to a fixed version below.

• —upgrade to 0.301.3 or later

Is CVE-2026-28398 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.301.3

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-28398
• PATCHgithub.com/nocodb/nocodb
• WEBgithub.com/nocodb/nocodb/releases/tag/0.301.3
• WEBgithub.com/nocodb/nocodb/security/advisories/GHSA-8vm4-g489-v3w7