CVE-2026-24769

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.0

Description NocoDB has a stored cross-site scripting (XSS) issue in its attachment handling. Authenticated users can upload malicious SVG files containing embedded JavaScript. These files are rendered inline and executed in the browsers of other users who view the attachment. The root cause is overly permissive MIME type checks and a lack of content sanitization when serving SVG files. Specifically, the isPreviewAllowed function in attachmentHelpers.ts uses a substring-based check that incorrectly classifies SVG files as safe for preview. The fileReadv3 endpoint in attachments.controller.ts serves these files without sanitization or content-type enforcement, allowing browsers to execute the embedded JavaScript under the NocoDB application’s origin. Successful exploitation can lead to account compromise, data exfiltration, and unauthorized actions performed on behalf of affected users.

Recommendations Versions prior to 0.301.0 should be updated to version 0.301.0 or later.