CVE-2026-28357

low-risk

Published 2026-03-02

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Nocodb

Affected Vendors

Nocodb

References (2)

Product https://github.com/nocodb/nocodb/releases/tag/0.301.3

Vendor Advisory https://github.com/nocodb/nocodb/security/advisories/GHSA-vx5p-q85x-xm3c

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal