CVE-2026-53929
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
NocoDB prior to version 2026.05.1 allowed authenticated uploaders to deliver .html or .svg attachments that were rendered inline in the browser instead of forcing a download. The issue stemmed from a mismatch in how response headers were handled, leading to automatic rendering of these files.
Risk Assessment
Organizations may be exposed to XSS attacks as malicious attachments could be rendered in users' browsers, potentially leading to data theft or session hijacking.
Recommendation
It is recommended to upgrade NocoDB to version 2026.05.1 or later to mitigate this vulnerability. Additionally, consider reviewing the attachment management policy within the application.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NC_SECURE_ATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stored response-header overrides under PascalCase keys (ResponseContentDisposition, ResponseContentType) while the controller that served the file read them under lowercase-hyphen names (response-content-disposition). The mismatch dropped the Content-Disposition: attachment header, leaving Express to auto-render .html, .svg, and similar inline. This vulnerability is fixed in 2026.05.1.

