CVE-2026-24769
Published: 28 January 2026
Summary
CVE-2026-24769 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Nocodb Nocodb. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires applying the vendor patch in NocoDB version 0.301.0, which directly fixes the insecure SVG attachment rendering vulnerability.
Information output filtering sanitizes or escapes rendered attachment content to block execution of embedded JavaScript in SVG files viewed by users.
Information input validation scans and rejects uploaded SVG files containing malicious JavaScript payloads during attachment handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via malicious SVG upload in public-facing NocoDB web app directly enables server-side exploitation (T1190) that delivers client-side JS execution (T1059.007) to victims viewing content (T1189/T1203).
NVD Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and…
more
executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue.
Deeper analysisAI
CVE-2026-24769 is a stored cross-site scripting (XSS) vulnerability in NocoDB, an open-source software platform for building databases as spreadsheets. The issue resides in the attachment handling mechanism and affects versions prior to 0.301.0. It allows authenticated users to upload malicious SVG files containing embedded JavaScript, which are stored server-side and rendered inline when viewed by other users, leading to arbitrary code execution in the victims' browsers under the application's origin. The vulnerability is associated with CWE-79 (Cross-Site Scripting) and CWE-434 (Unrestricted Upload of File with Dangerous Type), earning a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
An attacker with low-privilege authenticated access (PR:L) can exploit this by uploading a specially crafted SVG attachment to a shared resource. When other users, potentially with higher privileges, view the attachment, the embedded JavaScript executes in their browser context. This enables severe impacts including account takeover, data exfiltration from the application, and unauthorized actions performed on behalf of the victim, such as modifying records or escalating privileges, due to the cross-origin resource sharing (S:C) scope change.
The official patch is available in NocoDB version 0.301.0, which addresses the insecure rendering of SVG attachments. Additional details and remediation guidance are provided in the GitHub Security Advisory at https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr, published on 2026-01-28. Security practitioners should upgrade affected instances immediately and review attachment upload policies as an interim measure.
Details
- CWE(s)