CVE-2026-47383 nocodb CVE debrief

Who should care

Users of NocoDB, especially those with authenticated commenters, should be aware of this vulnerability and take immediate action to update to version 2026.05.1. Additionally, defenders should review their inventory of NocoDB instances and prioritize patching. Compensating controls, such as monitoring for suspicious activity, may be necessary until patching is complete.

Technical summary

The vulnerability exists in the comment write paths of NocoDB, where raw comment bodies are persisted without server-side sanitisation. When other users hover over the comment in the expanded form view, the stored body is rendered, and its data-tooltip attribute is fed to Tippy with allowHTML: true. This allows an authenticated commenter to store malicious HTML that executes as script. The vulnerability has a CVSS score of 7.4 and is classified as HIGH-severity.

Defensive priority

Defenders should prioritize patching NocoDB instances to version 2026.05.1. In the meantime, monitoring for suspicious activity and implementing compensating controls may be necessary.

Recommended defensive actions

• Update NocoDB to version 2026.05.1 or later
• Review inventory of NocoDB instances and prioritize patching
• Monitor for suspicious activity and implement compensating controls
• Implement server-side sanitisation for comment bodies
• Restrict access to authenticated commenters

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and severity. The source item URL provides additional context on the vulnerability, including references to the security advisory.

Official resources