Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to craft URLs containing the ncRedirectUrl or ncBackUrl parameters that are inserted directly into JavaScript execution contexts and hyperlinks without validation, creating a reflected XSS condition. An attacker could execute arbitrary scripts in the victim’s browser, enabling session hijacking, cookie theft, defacement, or downstream attacks against internal resources when the victim follows the malicious link. This flaw is defined as CWE‑79, a classic input validation weakness that compromises confidentiality, integrity, and availability at the user level.

Affected Systems

The flaw exists in all NocoDB releases prior to version 2026.04.1. Any installations that have not applied the 2026.04.1 update are vulnerable. The affected product is NocoDB by the vendor nocodb.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS is not available, so the historical exploitation likelihood is uncertain, but reflected XSS is a well‑known attack vector in a variety of web applications, and the flaw can be triggered by a crafted URL in an email or public link. The vulnerability is not listed in CISA KEV, suggesting no known exploitation in the wild as of the last analysis. Attackers can exploit this remotely via any user who visits a malicious link that directs the victim to the Page Leaving Warning page with the malicious ncBackUrl or ncRedirectUrl values.

Generated by OpenCVE AI on June 24, 2026 at 02:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later
  • If upgrade is not immediately possible, validate or escape the ncRedirectUrl and ncBackUrl parameters to prevent JavaScript URI injection
  • Monitor web traffic and logs for suspicious redirect URLs and suspicious user activity

Generated by OpenCVE AI on June 24, 2026 at 02:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9qgr-6vpg-9gh9 NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
History

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Nocodb Nocodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:42:03.511Z

Reserved: 2026-05-14T20:42:31.368Z

Link: CVE-2026-46547

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T02:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')