CVE-2026-28359: NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

March 2, 2026

An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API.

References

github.com/advisories/GHSA-qxwq-q265-hc44
github.com/nocodb/nocodb
github.com/nocodb/nocodb/releases/tag/0.301.3
github.com/nocodb/nocodb/security/advisories/GHSA-qxwq-q265-hc44
nvd.nist.gov/vuln/detail/CVE-2026-28359

Code Behaviors & Features

Detect and mitigate CVE-2026-28359 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →