CVE-2026-28398

EPSS 0.04%

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

發布日:2026/3/3修改日:2026/3/4
也稱為:GHSA-8vm4-g489-v3w7

描述

### Summary User-controlled content in comments and rich text cells was rendered via `v-html` without sanitization, enabling stored XSS. ### Details Comments in `Comments.vue` and rich text in `TextArea.vue` were parsed by markdown-it with `html: true` and injected via `v-html`. The codebase had `vue-dompurify-html` available but these paths used raw `v-html`. Server-side, `Comment.insert()` used `extractProps()` instead of `extractPropsAndSanitize()`. Commenter role is sufficient for the comments vector; Editor role for rich text. This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab. ### Impact Stored XSS — malicious scripts execute for any user viewing the comment or cell. ### Credit This issue was reported by [@bugbunny-research](https://github.com/bugbunny-research) (bugbunny.ai).

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

參考連結(4)