CVE-2026-28397

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.3

Description NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored Cross-Site Scripting (XSS). This allows for the injection of malicious scripts into comments, which are then executed when other users view those comments. The v-html directive bypasses standard HTML encoding, potentially allowing attackers to execute arbitrary JavaScript code within the context of the application.

Recommendations Update to version 0.301.3 or later.