CVE-2026-46547

MEDIUM NVD

CVSS Score 6.1

Severity MEDIUM

Published Jun 23, 2026

Vendor unknown

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1.

References

https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9