Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-wn4a-x9z3-qkbu
Vulnerability ID VCID-wn4a-x9z3-qkbu
Aliases CVE-2026-46547
GHSA-9qgr-6vpg-9gh9
Summary NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL ### Summary A reflected XSS vulnerability exists in the Page Leaving Warning page. The `ncRedirectUrl` and `ncBackUrl` query parameters are used in `window.location.href` and `<a>` tag bindings without validation, allowing `javascript:` URI injection. ### Details `PageLeavingWarning.vue` reads `ncRedirectUrl` and `ncBackUrl` directly from the route query without validation. When `isSameOriginUrl()` returns `false` (as it does for `javascript:` URIs), the raw URL is assigned to `window.location.href`, executing arbitrary JavaScript. The redirect URL is also bound directly to an `<a>` tag's `href` attribute. ### Impact An attacker can execute arbitrary JavaScript in the context of the NocoDB application by sending a crafted link to a victim. No authentication is required. ### Credit This issue was reported by [@naoyashiga](https://github.com/naoyashiga).
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-9qgr-6vpg-9gh9
cvssv3.1 6.1 https://github.com/nocodb/nocodb
generic_textual MODERATE https://github.com/nocodb/nocodb
cvssv3.1 6.1 https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9
cvssv3.1_qr MODERATE https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9
generic_textual MODERATE https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9
Reference id Reference type URL
https://github.com/nocodb/nocodb
https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9
GHSA-9qgr-6vpg-9gh9 https://github.com/advisories/GHSA-9qgr-6vpg-9gh9
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/nocodb/nocodb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T17:03:58.413028+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-9qgr-6vpg-9gh9/GHSA-9qgr-6vpg-9gh9.json 38.6.0