CVE-2026-47387
Deferred Deferred - Pending Action

DOM-Based XSS in NocoDB via Malicious Redirect URL

Vulnerability report for CVE-2026-47387, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB versions prior to 2026.05.1 in the shared form-view submit handler. The handler writes the form's redirect_url to window.location.href after performing a same-host check that does not validate the URL scheme.

A user with an editor role or higher on any base can insert a javascript: URL into the form's redirect_url. When an authenticated viewer opens the share-link and submits the form, the malicious JavaScript payload executes within the NocoDB origin.

This execution allows the attacker to read the session token stored in localStorage under the key "nocodb-gui-v2", potentially compromising the user's session.

The vulnerability was fixed in version 2026.05.1.

Compliance Impact

This vulnerability allows an attacker with editor role or above to execute arbitrary JavaScript in the context of the NocoDB origin, potentially accessing session tokens stored in localStorage. Such unauthorized access to session tokens can lead to unauthorized data access or data breaches.

Unauthorized access to sensitive data or session tokens can impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability could lead to non-compliance with these standards if exploited, due to the risk of unauthorized data exposure or compromise of user sessions.

Impact Analysis

This vulnerability can lead to session token theft by executing malicious JavaScript in the context of the NocoDB origin.

An attacker with editor or higher privileges can craft a malicious redirect URL that, when triggered by an authenticated viewer, steals their session token.

With the stolen session token, the attacker could impersonate the victim, gaining unauthorized access to their NocoDB session and potentially sensitive data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue has been fixed.

This vulnerability allows an editor or higher role user to inject a malicious javascript: URL in the form's redirect_url, which can execute code and steal session tokens when a viewer submits the form. Upgrading ensures the redirect_url is properly validated.

Detection Guidance

This vulnerability can be detected by checking if your NocoDB instance is running a version prior to 2026.05.1 and if the form-view submit handler accepts and processes a redirect_url parameter containing a javascript: URL scheme.

To detect exploitation attempts or presence of the vulnerability, you can monitor HTTP PATCH requests to the form-view endpoint for suspicious redirect_url parameters containing javascript: URLs.

Example commands to detect such attempts include:

  • Using grep on web server logs to find javascript: in redirect_url parameters: grep -i 'redirect_url=.*javascript:' /path/to/access.log
  • Using curl to test if the form-view PATCH endpoint accepts a javascript: URL in redirect_url (replace URL and authentication as needed): curl -X PATCH -H "Content-Type: application/json" -d '{"redirect_url":"javascript:alert(1)"}' https://your-nocodb-instance/api/v1/form-view
  • Monitoring browser developer tools or proxy logs for execution of javascript: URLs after form submission on shared form links.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47387. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart