← Voltar para CVEs
CVE-2026-24769
CRITICAL9.0
Descricao
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue.
Detalhes CVE
Pontuacao CVSS v3.19.0
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado1/28/2026
Ultima modificacao2/4/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
nocodb:nocodb
Fraquezas (CWE)
CWE-79CWE-434
Referencias
https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.