VYPR
Moderate severityGHSA Advisory· Published May 21, 2026· Updated May 21, 2026

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

CVE-2026-46547

Description

Summary

A reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and ` tag bindings without validation, allowing javascript:` URI injection.

Details

PageLeavingWarning.vue reads ncRedirectUrl and ncBackUrl directly from the route query without validation. When isSameOriginUrl() returns false (as it does for javascript: URIs), the raw URL is assigned to window.location.href, executing arbitrary JavaScript. The redirect URL is also bound directly to an ` tag's href` attribute.

Impact

An attacker can execute arbitrary JavaScript in the context of the NocoDB application by sending a crafted link to a victim. No authentication is required.

Credit

This issue was reported by @naoyashiga.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nocodbnpm
<= 0.301.3

Affected products

1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.