CVE Catalog

CVE-2026-46547

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile — higher than 4% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 had a reflected XSS vulnerability in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters were used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection.

Risk Assessment

Exploitation of this vulnerability could lead to the execution of malicious JavaScript code in the user's context, jeopardizing data security and user privacy.

Recommendation

It is recommended to upgrade NocoDB to version 2026.04.1 or later to mitigate this vulnerability.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS