NocoDB’s shared form‑view submit handler writes the form’s redirect_url directly to window.location.href after a same‑host check that ignores URL scheme validation. An editor or higher user can supply a javascript: URL. When an authenticated viewer opens the shared form link and submits the form, the malicious JavaScript executes in the context of the NocoDB origin, allowing the payload to read the session token from localStorage["nocodb-gui-v2"]. This stored cross‑site scripting flaw enables attackers to run arbitrary code within the application, steal session credentials, and potentially perform actions as the victim user.

Any self‑hosted NocoDB installation running a version prior to 2026.05.1 is vulnerable. The flaw resides in the shared form‑view submit handler located in packages/nc‑gui/composables/useSharedFormViewStore.ts. Users with editor role (or higher) can inject a javascript: URL into the form’s redirect_url. When an authenticated viewer opens the share link and submits the form, the payload executes. Older versions are especially susceptible.

The CVSS score of 8.4 classifies this flaw as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but its high severity rating underscores the risk. Based on the description, it is inferred that the vulnerability is exploitable by an editor who sets a malicious redirect_url and a viewer who opens the shared form link, resulting in the execution of attacker‑supplied code in the NocoDB origin. Successful exploitation gives the attacker the same privileges as the victim’s session, enabling data exfiltration or further compromise of the NocoDB environment.