NocoDB Vulnerabilities Involve Form Link Resolution and Inputs

EXECUTIVE SUMMARY:

Two vulnerabilities have been revealed in NocoDB, the open-source no-code database platform. The issues are stored cross-site scripting flaws that allow an attacker to inject malicious scripts via form-view redirect URLs and row comments. Successful exploitation results in same-origin script execution in a victim’s browser, enabling the theft of authentication tokens stored in localStorage and the ability to perform actions on behalf of the compromised user. For organizations that rely on NocoDB for internal data capture or collaborative workspaces, this translates to unauthorized data access, potential data exfiltration, and abuse of privileged API calls.[emaillocker id="1283"]

CVE-2026-47387 with a CVSS score of 8.4 – The vulnerability is a stored XSS in the form‑view redirect URL; an editor‑level user can set a “javascript:” URL that bypasses the same‑host check, causing the script to run when any authenticated viewer submits the shared form. Exploitation requires only the ability to edit a form and a victim who opens the share link.

CVE-2026-47383 with a CVSS score of 7.4 – This stored XSS allows an authenticated commenter to embed malicious HTML in a row comment; when another user hovers over the comment in the expanded form view, the payload is rendered and executed. Attack requires comment permission and a victim who views the affected row.

RECOMMENDATION:

• We strongly recommend you update nocodb to below version:
• https://github.com/nocodb/nocodb/releases

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-hj85-ph9q-78jg
https://github.com/advisories/GHSA-jf3g-4gwg-4h66