NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

Summary An authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. Details The TipTap editor sanitizes HTML client-side, but the backend stores raw HTML without server-side sanitization. The stored content...

CVE-2026-28359

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...

PT-2026-22630

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...

CVE-2025-14284

A flaw was found in @tiptap/extension-link. This vulnerability allows an attacker to execute arbitrary JavaScript JS code via unsanitized user input when setting or toggling links, by injecting a javascript: Uniform Resource Locator URL payload. Mitigation Mitigation for this issue is either not...

Cross-site Scripting (XSS)

@tiptap/extension-link is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to unsanitized user input in link-setting functionality, allowing attackers to inject javascript: URLs that execute arbitrary JavaScript when interacted with...

@10play/tentap-editor (>=0.5.27 <=0.7.5-alpha.0), @adminjs/design-system (>=3.0.0 <=4.0.3) +131 more potentially affected by CVE-2025-14284 via @tiptap/extension-link (>=2.0.0-beta.18 <=2.10.3)

@tiptap/extension-link NPM version =2.0.0-beta.18, =0.5.27, =3.0.0, =0.4.1, =3.0.0-alpha.1, =0.0.1, =0.2.1, =0.2.0, =0.1.0, =0.28.0, =3.4.0, =1.2.0, =0.0.3, =0.4.1 and more Source cves: CVE-2025-14284 Source advisory: OSV:GHSA-VHRC-HGRQ-X75R...

EUVD-2025-201879

@tiptap/extension-link vulnerable to Cross-site Scripting XSS...

GHSA-VHRC-HGRQ-X75R @tiptap/extension-link vulnerable to Cross-site Scripting (XSS)

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...

CVE-2025-14284

The CVE-2025-14284 entry applies to the @tiptap/extension-link package, specifically versions before 2.10.4. The issue is Cross-site Scripting (XSS) caused by unsanitized user input when setting or toggling links, allowing an attacker to inject a javascript: URL payload that can execute arbitrary...

Tiptap Editor 安全漏洞

Tiptap Editor is an open source text editor framework from Tiptap. A security vulnerability exists in Tiptap Editor versions prior to 2.10.4 that stems from uncleaned user input and could lead to a cross-site scripting attack...

PT-2025-49800

Name of the Vulnerable Software and Affected Versions @tiptap/extension-link versions prior to 2.10.4 Description The @tiptap/extension-link package is susceptible to Cross-site Scripting XSS because of unsanitized user input when setting or toggling links. An attacker can inject a javascript: UR...

EUVD-2025-199251

Malicious code in tiptap-shadcn-vue npm...

Malicious code in tiptap-shadcn-vue (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0749b2f0cf2a55c1736c46b2865d3ac1dfd6bf241b5242225513d0807ee512e The package tiptap-shadcn-vue was found to contain malicious code. Source: ghsa-malware...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

org.webjars.npm:tiptap__extension-link (>=2.0.0-beta.199 <=2.0.0-beta.202) potentially affected by CVE-2025-8101 via org.webjars.npm:linkifyjs (=4.0.0-beta.6)

org.webjars.npm:linkifyjs MAVEN version =4.0.0-beta.6 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:linkifyjs and may be impacted: - org.webjars.npm:tiptapextension-link =2.0.0-beta.199, =2.0.0-beta.202 Source cves: CVE-2025-8101 Sour...

Arbitrary File Upload

Overview marshmallow/nova-tiptap is a Laravel Nova tiptap editor field. Affected versions of this package are vulnerable to Arbitrary File Upload via the /nova-tiptap/api/file endpoint, which lacks authentication and file validation. An attacker can upload arbitrary files, including executable or...