CVE-2026-46547 nocodb CVE debrief

Who should care

This vulnerability affects users of NocoDB, particularly those who use the software to build databases as spreadsheets. The vulnerability allows for reflected XSS attacks, which can lead to malicious scripts being executed in the context of the user's browser. Users of NocoDB should ensure they are running version 2026.04.1 or later to mitigate this vulnerability.

Technical summary

The vulnerability exists in the Page Leaving Warning page of NocoDB, where the ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation. This allows for javascript: URI injection, enabling an attacker to inject malicious scripts into the page. The vulnerability is fixed in version 2026.04.1, which validates user input and prevents javascript: URI injection.

Defensive priority

This vulnerability has a medium CVSS score of 6.1, indicating a moderate level of severity. However, the vulnerability is relatively easy to exploit, and an attacker could potentially inject malicious scripts into the page, leading to XSS attacks. Therefore, defenders should prioritize patching this vulnerability to prevent potential attacks.

Recommended defensive actions

• Patch NocoDB to version 2026.04.1 or later
• Validate user input for ncRedirectUrl and ncBackUrl query parameters
• Implement additional security measures to prevent XSS attacks, such as Content Security Policy (CSP) and input validation
• Monitor for potential XSS attacks and implement incident response plans
• Conduct regular vulnerability assessments and penetration testing to identify potential vulnerabilities

Evidence notes

The vulnerability was reported by an unknown source and is tracked by CVE-2026-46547. The vulnerability is fixed in version 2026.04.1, and users are advised to upgrade to this version or later. The CVSS score for this vulnerability is 6.1, indicating a medium severity.

Official resources