Vulnerability-Lookup

GHSA-JF3G-4GWG-4H66

Vulnerability from github – Published: 2026-06-05 16:19 – Updated: 2026-06-05 16:19

Summary

NocoDB: Stored Cross-Site Scripting via Row Comments

Details

Summary

An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view.

Details

The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover.

Impact

Stored Cross-Site Scripting against any user who views the affected row. Script runs in the NocoDB origin with the victim's session and can read the auth JWT from localStorage. Authentication and comment permission are required.

Credit

This issue was reported by @DavidCarliez. It was independently reported by @Mouhebbenelwafi.

Severity

7.4 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.05.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.05.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T16:19:22Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nAn authenticated commenter could store HTML in row comments that executed as script\nwhen other users hovered over the comment in the expanded form view.\n\n### Details\nThe comment write paths persisted the raw comment body with no server-side sanitisation;\nthe expanded-form sidebar then rendered the stored body and fed its `data-tooltip`\nattribute to Tippy with `allowHTML: true`. Even when the editor stripped script tags\nat write time, attribute-level payloads re-entered the DOM as live HTML on hover.\n\n### Impact\nStored Cross-Site Scripting against any user who views the affected row. Script runs in\nthe NocoDB origin with the victim\u0027s session and can read the auth JWT from\n`localStorage`. Authentication and comment permission are required.\n\n### Credit\nThis issue was reported by [@DavidCarliez](https://github.com/DavidCarliez). It was independently reported by [@Mouhebbenelwafi](https://github.com/Mouhebbenelwafi).",
  "id": "GHSA-jf3g-4gwg-4h66",
  "modified": "2026-06-05T16:19:22Z",
  "published": "2026-06-05T16:19:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jf3g-4gwg-4h66"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/2026.05.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: Stored Cross-Site Scripting via Row Comments"
}

CVE-2026-47383 (GCVE-0-2026-47383)

Vulnerability from cvelistv5 – Published: 2026-06-23 20:15 – Updated: 2026-06-25 12:47

Title

NocoDB: Stored Cross-Site Scripting via Row Comments

Summary

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1.

Severity

7.4 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/nocodb/nocodb/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
nocodb	nocodb	Affected: < 2026.05.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47383",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T12:47:17.503409Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T12:47:27.310Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nocodb",
          "vendor": "nocodb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.05.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover. This vulnerability is fixed in 2026.05.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T20:15:56.168Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jf3g-4gwg-4h66",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jf3g-4gwg-4h66"
        }
      ],
      "source": {
        "advisory": "GHSA-jf3g-4gwg-4h66",
        "discovery": "UNKNOWN"
      },
      "title": "NocoDB: Stored Cross-Site Scripting via Row Comments"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47383",
    "datePublished": "2026-06-23T20:15:56.168Z",
    "dateReserved": "2026-05-19T19:22:45.728Z",
    "dateUpdated": "2026-06-25T12:47:27.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-JF3G-4GWG-4H66

Summary

Details

Impact

Credit

CVE-2026-47383 (GCVE-0-2026-47383)

Tags

Sightings

Nomenclature