CVE Catalog

CVE-2026-47387

HighCVSS 8.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

NocoDB prior to version 2026.05.1 has a vulnerability that allows users with editor role to inject malicious JavaScript code through the form's redirect_url field. When an authenticated user opens the shared link, this code can be executed in the context of NocoDB.

Risk Assessment

This vulnerability allows attackers to steal session tokens, potentially leading to unauthorized access to user data. Organizations should be aware of the risks associated with unauthorized access to sensitive information.

Recommendation

It is recommended to update NocoDB to version 2026.05.1 or later to mitigate this vulnerability. Additionally, conducting a security audit of the application is advisable to identify other potential threats.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS