Cross-Site Scripting Vulnerability in NocoDB by NocoDB
CVE-2026-47387

8.4HIGH

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-47387?

NocoDB, a software solution designed for building databases like spreadsheets, has a cross-site scripting (XSS) vulnerability in the form-view submit handler. This issue arises in versions prior to 2026.05.1 due to improper validation of the URL scheme during a same-host check. An authenticated editor or higher can manipulate the redirect_url parameter to include a malicious JavaScript payload. When an authenticated user submits the shared form link, the injected script executes within the NocoDB environment, allowing it to read sensitive session tokens from local storage. The vulnerability has been addressed in version 2026.05.1.

Affected Version(s)

nocodb < 2026.05.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47387 Data

JSON

Nocodb

What is CVE-2026-47387?

Affected Version(s)

References

CVSS V4

Timeline