CVE-2026-46547 - Vulnerability Details - OpenCVE

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Nocodb	Nocodb

No data.

No data.

References

Link	Providers
https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9

History

Thu, 25 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 24 Jun 2026 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nocodb Nocodb nocodb
Vendors & Products		Nocodb Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1.
Title		NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
Weaknesses		CWE-79
References		https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T20:42:03.511Z

Updated: 2026-06-25T12:50:35.771Z

Reserved: 2026-05-14T20:42:31.368Z

Link: CVE-2026-46547

Vulnrichment

Updated: 2026-06-25T12:50:30.852Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46547", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-14T20:42:31.368Z", "datePublished": "2026-06-23T20:42:03.511Z", "dateUpdated": "2026-06-25T12:50:35.771Z"}, "containers": {"cna": {"title": "NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9"}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"version": "< 2026.04.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T20:42:03.511Z"}, "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1."}], "source": {"advisory": "GHSA-9qgr-6vpg-9gh9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-25T12:50:08.621294Z", "id": "CVE-2026-46547", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T12:50:35.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-46547", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-25T12:50:08.621294Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-25T12:50:30.852Z"}}], "cna": {"title": "NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL", "source": {"advisory": "GHSA-9qgr-6vpg-9gh9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"status": "affected", "version": "< 2026.04.1"}]}], "references": [{"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9", "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, a reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection. This vulnerability is fixed in 2026.04.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T20:42:03.511Z"}}}, "cveMetadata": {"cveId": "CVE-2026-46547", "state": "PUBLISHED", "dateUpdated": "2026-06-25T12:50:35.771Z", "dateReserved": "2026-05-14T20:42:31.368Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-23T20:42:03.511Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}