VYPR
← All advisories
Medium severity6.1GHSA Advisory· Published May 21, 2026· Updated May 21, 2026

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

CVE-2026-46547

Description

Summary

A reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and ` tag bindings without validation, allowing javascript:` URI injection.

Details

PageLeavingWarning.vue reads ncRedirectUrl and ncBackUrl directly from the route query without validation. When isSameOriginUrl() returns false (as it does for javascript: URIs), the raw URL is assigned to window.location.href, executing arbitrary JavaScript. The redirect URL is also bound directly to an ` tag's href` attribute.

Impact

An attacker can execute arbitrary JavaScript in the context of the NocoDB application by sending a crafted link to a victim. No authentication is required.

Credit

This issue was reported by @naoyashiga.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NocoDB's Page Leaving Warning page has a reflected XSS flaw: `ncRedirectUrl` and `ncBackUrl` parameters allow `javascript:` URI injection without validation, enabling arbitrary JS execution with no authentication needed.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in NocoDB's Page Leaving Warning page (PageLeavingWarning.vue). The component directly reads the ncRedirectUrl and ncBackUrl query parameters from the route and assigns them to window.location.href and an ` tag's href` attribute without any validation or sanitization [1][2].

Exploitation

When the helper function isSameOriginUrl() returns false (which occurs for non-http schemes like javascript:), the raw URL is passed to window.location.href, executing arbitrary JavaScript. An attacker can craft a malicious link containing a javascript: URI in one of these parameters and send it to a victim. The attack requires no authentication to succeed [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the NocoDB application, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of the victim. The attack is reflected (not stored), so the malicious payload is delivered directly via the crafted link [1][2].

Mitigation

As of the advisory publication, the vulnerability has been acknowledged. Users should check for patches or updates from NocoDB. No workaround is described; the recommended action is to apply the vendor-supplied fix when available [1][2].

References
  1. CVE-2026-46547 - GitHub Advisory Database
  2. Reflected Cross-Site Scripting via Page Leaving Redirect URL

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nocodb/NocodbGHSA2 versions
    <= 0.301.3+ 1 more
    • (no CPE)range: <= 0.301.3
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.