CVE Catalog

CVE-2026-53929

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 allowed authenticated uploaders to deliver .html or .svg attachments that were rendered inline in the browser instead of forcing a download. The issue stemmed from a mismatch in how response headers were handled, leading to automatic rendering of these files.

Risk Assessment

Organizations may be exposed to XSS attacks as malicious attachments could be rendered in users' browsers, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to upgrade NocoDB to version 2026.05.1 or later to mitigate this vulnerability. Additionally, consider reviewing the attachment management policy within the application.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS