PT-2026-22630 · Nocodb · Nocodb

Akokonunes

+1

·

Published

2026-03-02

·

Updated

2026-03-02

·

CVE-2026-28359

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.3
Description NocoDB is software for building databases as spreadsheets. An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells. This is achieved by bypassing the TipTap editor and sending raw HTML via the API. The vulnerable API allows for the injection of malicious code through Rich Text cells.
Recommendations Update to version 0.301.3 or later.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-28359
GHSA-QXWQ-Q265-HC44

Affected Products

Nocodb