CVE Catalog

CVE-2026-47377

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 had a vulnerability in the hashRedirect plugin that allowed redirecting users to malicious sites. The redirection occurred after checking if the path starts with '/', which allowed the use of protocol-relative URLs.

Risk Assessment

Organizations could be exposed to phishing attacks and other forms of fraud, as users could be unknowingly redirected to malicious sites controlled by attackers.

Recommendation

It is recommended to update NocoDB to version 2026.04.1 or later to eliminate this vulnerability and protect users from unauthorized redirections.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS