Main Vulnerability Database Vulnerabilities #VU127980

Cross-site scripting in NocoDB - CVE-2026-24769

Published: April 27, 2026

Vulnerability identifier: #VU127980

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-24769

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: nocodb

Affected software:
NocoDB

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the browsers of other users.

The vulnerability exists due to cross-site scripting in the attachment handling mechanism when rendering uploaded SVG attachments inline. A remote user can upload a malicious SVG file containing embedded JavaScript to execute arbitrary script in the browsers of other users.

Exploitation requires permission to upload attachments, and user interaction is required when another user views the attachment.

How to mitigate CVE-2026-24769

Install security update from vendor's website.

Sources

https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr

Cross-site scripting in NocoDB - CVE-2026-24769

Detailed vulnerability description

How to mitigate CVE-2026-24769

Sources

Please verify you're human