VYPR
Moderate severityNVD Advisory· Published Mar 2, 2026· Updated Mar 2, 2026

NocoDB: Stored Cross-Site Scripting via Formula Cell

CVE-2026-28357

Description

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nocodbnpm
< 0.301.30.301.3

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.