VYPR
← All advisories
High severity7.4NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

NocoDB: Stored Cross-Site Scripting via Row Comments

CVE-2026-47383

Description

Summary

An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view.

Details

The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its data-tooltip attribute to Tippy with allowHTML: true. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover.

Impact

Stored Cross-Site Scripting against any user who views the affected row. Script runs in the NocoDB origin with the victim's session and can read the auth JWT from localStorage. Authentication and comment permission are required.

Credit

This issue was reported by @DavidCarliez. It was independently reported by @Mouhebbenelwafi.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application fails to sanitize HTML content stored in row comments, allowing script execution when rendered."

Attack vector

An authenticated commenter can store HTML in row comments. When another user hovers over the comment in the expanded form view, the stored HTML is rendered with `allowHTML: true` in the `data-tooltip` attribute. This allows for attribute-level payloads to be executed as live HTML in the victim's browser context [ref_id=1].

Affected code

The vulnerability lies in the comment write paths where raw comment bodies are persisted without server-side sanitization. The expanded-form sidebar then renders this stored body, feeding its `data-tooltip` attribute to Tippy with `allowHTML: true` [ref_id=1].

What the fix does

The advisory does not detail specific code changes or provide a patch. However, it implies that server-side sanitization of comment bodies should be implemented to prevent the injection of malicious HTML. The fix would involve ensuring that all user-supplied comment content is properly escaped or filtered before being stored and rendered.

Preconditions

  • authAttacker must be authenticated.
  • inputAttacker must have comment permission.

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

1