Advisories for Npm/Nocodb package

Rich text cell content rendered via v-html without sanitization, enabling stored XSS.

User-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS.

Comments rendered via v-html without sanitization, enabling stored XSS.

An authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter.

The password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.

The password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration.

An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.

The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known.

A stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute.

Shared view passwords were stored in plaintext in the database and compared using direct string equality.

A stored Cross-site Scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users.

An unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the continueAfterSignIn parameter. During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login.

An authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution.

A blind Server-Side Request Forgery (SSRF) vulnerability exists in the uploadViaURL functionality due to an unprotected HEAD request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied.

The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting.

A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.

An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

Attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading Stored XSS(Cross-Site Script) attack.

Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay …

Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.

Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.

Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+.

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.

Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.

Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+.