logo

Database

Reflected cross-site scripting (XSS) In nocodb

Description

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

Summary

A reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection.

Details

PageLeavingWarning.vue reads ncRedirectUrl and ncBackUrl directly from the route query without validation. When isSameOriginUrl() returns false (as it does for javascript: URIs), the raw URL is assigned to window.location.href, executing arbitrary JavaScript. The redirect URL is also bound directly to an <a> tag's href attribute.

Impact

An attacker can execute arbitrary JavaScript in the context of the NocoDB application by sending a crafted link to a victim. No authentication is required.

Credit

This issue was reported by @naoyashiga.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-465472. NVD-2026-465473. OSV-2026-465474. GHSA-9qgr-6vpg-9gh95. GCVE-2026-46547

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.