CVE-2026-46547
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
NocoDB prior to version 2026.04.1 had a reflected XSS vulnerability in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters were used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection.
Risk Assessment
Exploitation of this vulnerability could lead to the execution of malicious JavaScript code in the user's context, jeopardizing data security and user privacy.
Recommendation
It is recommended to upgrade NocoDB to version 2026.04.1 or later to mitigate this vulnerability.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1.

