Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Summary
A reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection.
Details
PageLeavingWarning.vue reads ncRedirectUrl and ncBackUrl directly from the route query without validation. When isSameOriginUrl() returns false (as it does for javascript: URIs), the raw URL is assigned to window.location.href, executing arbitrary JavaScript. The redirect URL is also bound directly to an <a> tag's href attribute.
Impact
An attacker can execute arbitrary JavaScript in the context of the NocoDB application by sending a crafted link to a victim. No authentication is required.
Credit
This issue was reported by @naoyashiga.
AnalysisAI
Reflected XSS in NocoDB's Page Leaving Warning component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a javascript: URI in the ncRedirectUrl or ncBackUrl query parameters. All NocoDB npm releases up to and including version 0.301.3 are affected, and no vendor-released patch has been identified at time of analysis. No active exploitation has been confirmed (not in CISA KEV), but the GitHub Security Advisory provides sufficient technical specificity - including the exact vulnerable file and parameter names - to enable independent POC development.
Technical ContextAI
NocoDB is an open-source no-code database platform distributed as an npm package (pkg:npm/nocodb) built on Vue.js. The vulnerability resides in PageLeavingWarning.vue, a Vue Router component rendered when users attempt to navigate away from pages with unsaved changes. The component reads ncRedirectUrl and ncBackUrl directly from the route query object without sanitization or allowlist validation. A same-origin guard (isSameOriginUrl()) is present but does not block javascript: URIs - because they are not same-origin, the check returns false, and the code path assigns the raw attacker-controlled value to window.location.href and binds it as an <a> tag href, both of which browsers treat as executable JavaScript. CWE-79 (Improper Neutralization of Input During Web Page Generation) classifies the root cause as failure to neutralize user-controlled input before reflecting it into a JavaScript execution sink.
RemediationAI
No vendor-released patch has been identified at time of analysis - the GitHub Advisory GHSA-9qgr-6vpg-9gh9 (https://github.com/nocodb/nocodb/security/advisories/GHSA-9qgr-6vpg-9gh9) lists no fixed version for npm/nocodb <= 0.301.3. Organizations should monitor that advisory and the NocoDB GitHub repository for a patched release and upgrade immediately upon availability. As compensating controls: (1) Restrict NocoDB access to trusted internal networks or authenticated VPN sessions, which eliminates the primary attack-delivery surface (external phishing of crafted links) - trade-off is reduced accessibility for remote workers. (2) Deploy a Content Security Policy (CSP) header via reverse proxy or web server that includes default-src 'self' and disallows javascript: URI navigation (e.g., navigate-to 'self' or blocking via script-src); note that aggressive CSP may interfere with NocoDB's legitimate use of inline scripts and should be tested against application functionality before production enforcement. (3) If NocoDB is embedded behind an authenticated SSO or proxy layer, ensure users cannot receive and follow external deep-links to the NocoDB origin without re-authentication, reducing phishing effectiveness. Source-level mitigation for teams self-hosting from source: add javascript: URI scheme validation to isSameOriginUrl() in PageLeavingWarning.vue and reject any URL whose scheme is not http or https before assignment to window.location.href or <a href>.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38588
GHSA-9qgr-6vpg-9gh9