NocoDB, Stored XSS Vulnerability (Critical)

Listen to this Post

The vulnerability exists due to improper handling of SVG file attachments. In attachmentHelpers.ts, a previewable MIME type check uses `mimetype.includes(type)` on an array containing 'image'. This incorrectly classifies `image/svg+xml` files as safe for inline preview without sanitization. SVG files can contain embedded JavaScript within `

Scroll to Top