Reflected XSS Vulnerability in NocoDB Software
CVE-2026-46547

6.1MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-46547?

NocoDB, a software tool designed to build databases in a spreadsheet format, contains a reflected XSS vulnerability within the Page Leaving Warning feature. Prior to version 2026.04.1, the ncRedirectUrl and ncBackUrl query parameters are inadequately validated before being utilized in window.location.href and anchor tag bindings. This lack of validation opens the door for potential JavaScript URI injection, posing a risk to users and their data security. The issue has been rectified in version 2026.04.1.

Affected Version(s)

nocodb < 2026.04.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46547 Data

JSON

Nocodb

What is CVE-2026-46547?

Affected Version(s)

References

CVSS V3.1

Timeline