Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable form-view API, editor role needed (PR:L), viewer must submit the form (UI:R), payload executes in NocoDB origin different from the attacker's base context (S:C), session-token theft yields high C and I, no availability impact.
Primary rating from Vendor (https://github.com/nocodb/nocodb).
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Summary
The shared form-view submit handler in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"].
Details
The vulnerable sink is in packages/nc-gui/composables/useSharedFormViewStore.ts:
isValidRedirectUrlvalidated onlytypeof === 'string'and non-empty trim - no scheme check.- The submit branch built an anchor element, compared
anchor.hosttowindow.location.host, and either pushState-reloaded (same host) or assignedwindow.location.href = redirectUrl(otherwise). - For non-network schemes such as
javascript:,data:,vbscript:, andfile:,anchor.hostis the empty string, so the same-host check is false and the code falls into the external-redirect branch - executing the URL same-origin in the NocoDB tab.
The redirect_url field is writable by any user with editor role on the base via the form-view PATCH endpoint, and the value is returned verbatim by the public shared-view meta endpoint, so no further privilege is required to weaponize a public form share.
Impact
- Same-origin script execution in the viewer's NocoDB tab. The payload runs in the NocoDB origin and can read the session token at
localStorage["nocodb-gui-v2"].token. - Action under the viewer's identity. With the token, an attacker can call authenticated APIs as the viewer, scoped to whatever workspaces, bases, and operations that viewer is permitted to use.
- Single-click viewer flow. Form share-links are the intended distribution channel for forms, so the phishing surface is on-brand; the form can be configured with a single hidden pre-filled required field to reduce the viewer flow to one click.
Credit
This issue was reported by @kah-ja (turingpoint.de).
AnalysisAI
Stored cross-site scripting in NocoDB through 2026.05.0 allows a base editor to plant a javascript: URL in a form view's redirect_url, which executes same-origin in any authenticated viewer's browser when they submit the shared form. The payload can exfiltrate the session token from localStorage["nocodb-gui-v2"] and call NocoDB APIs as the victim. No public exploit identified at time of analysis, EPSS 0.07% (21st percentile), but a vendor patch is available in release 2026.05.1.
Technical ContextAI
NocoDB is an open-source Airtable-style no-code database platform distributed as the nocodb npm package. The defect lives in the Vue/Nuxt frontend composable packages/nc-gui/composables/useSharedFormViewStore.ts, where isValidRedirectUrl only checks that the value is a non-empty string and the submit handler relies on comparing an anchor element's host to window.location.host to distinguish internal vs external redirects. For pseudo-schemes like javascript:, data:, vbscript:, and file:, anchor.host is the empty string, so the same-host check fails and the code assigns the attacker-controlled value to window.location.href, executing script in the NocoDB origin. This is a classic CWE-79 (Cross-site Scripting) sink caused by missing URL scheme validation on a sink that effectively behaves as an HTML/JS navigation context.
RemediationAI
Vendor-released patch: upgrade NocoDB to 2026.05.1 or later, available at https://github.com/nocodb/nocodb/releases/tag/2026.05.1, which adds URL scheme validation to the shared form-view redirect logic. Refer to the GitHub Security Advisory GHSA-hj85-ph9q-78jg for additional details. If immediate upgrade is not possible, compensating controls include auditing all existing form views for non-http(s) redirect_url values via the database or admin API and clearing suspect entries, tightening editor role assignments on bases that publish public shared forms, and instructing users not to submit public shared forms while authenticated to NocoDB in the same browser session - each of these reduces but does not eliminate the attack surface and may disrupt legitimate use of shared forms.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38612
GHSA-hj85-ph9q-78jg