Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pczw-jqqk-cuc9
Vulnerability ID VCID-pczw-jqqk-cuc9
Aliases CVE-2023-49781
GHSA-h6r4-xvw6-jc5h
Summary NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01788 https://api.first.org/data/v1/epss?cve=CVE-2023-49781
epss 0.01788 https://api.first.org/data/v1/epss?cve=CVE-2023-49781
epss 0.01788 https://api.first.org/data/v1/epss?cve=CVE-2023-49781
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-h6r4-xvw6-jc5h
cvssv3.1 7.3 https://github.com/nocodb/nocodb
generic_textual HIGH https://github.com/nocodb/nocodb
cvssv3.1 7.3 https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574
generic_textual HIGH https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574
ssvc Track https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574
cvssv3.1 7.3 https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
cvssv3.1_qr HIGH https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
generic_textual HIGH https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
ssvc Track https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
cvssv3.1 7.3 https://nvd.nist.gov/vuln/detail/CVE-2023-49781
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-49781
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-49781
https://github.com/nocodb/nocodb
7f58ce3726dfec71537d8b80474a0f95a48a1574 https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574
CVE-2023-49781 https://nvd.nist.gov/vuln/detail/CVE-2023-49781
GHSA-h6r4-xvw6-jc5h https://github.com/advisories/GHSA-h6r4-xvw6-jc5h
GHSA-h6r4-xvw6-jc5h https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nocodb/nocodb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:49:05Z/ Found at https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-13T19:49:05Z/ Found at https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-49781
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.83148
EPSS Score 0.01788
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:21:32.022102+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/49xxx/CVE-2023-49781.json 38.6.0