User-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS.
Comments in Comments.vue and rich text in TextArea.vue were parsed by markdown-it with html: true and injected via v-html. The codebase had vue-dompurify-html available but these paths used raw v-html. Server-side, Comment.insert() used extractProps() instead of extractPropsAndSanitize().
Commenter role is sufficient for the comments vector; Editor role for rich text.
This issue was independently reported; see also GHSA-rcph-x7mj-54mm and GHSA-wwp2-x4rj-j8rm for the same root cause found by GitHub Security Lab.
Stored XSS — malicious scripts execute for any user viewing the comment or cell.
This issue was reported by @bugbunny-research (bugbunny.ai).
| Score | Percentile |
|---|---|
| 0.03% | 10.30% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-8vm4-g489-v3w7 ↗ |
| CVE | CVE-2026-28398 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | nocodb | <= 0.301.2 | 0.301.3 | — |