CVE-2026-47387

CVE-2026-47387 is a high-severity cross-site scripting (XSS) vulnerability in nocodb (npm), affecting versions <= 2026.05.0. It is fixed in 2026.05.1.

Summary

The shared form-view submit handler in NocoDB writes the form's redirect_url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role (or above) on any base can plant a javascript: URL in the form's redirect_url; when an authenticated viewer opens the share-link and submits the form, the payload executes in the NocoDB origin and can read the session token from localStorage["nocodb-gui-v2"].

Details

The vulnerable sink is in packages/nc-gui/composables/useSharedFormViewStore.ts:

  • isValidRedirectUrl validated only typeof === 'string' and non-empty trim, no scheme check.
  • The submit branch built an anchor element, compared anchor.host to window.location.host, and either pushState-reloaded (same host) or assigned window.location.href = redirectUrl (otherwise).
  • For non-network schemes such as javascript:, data:, vbscript:, and file:, anchor.host is the empty string, so the same-host check is false and the code falls into the external-redirect branch, executing the URL same-origin in the NocoDB tab.

The redirect_url field is writable by any user with editor role on the base via the form-view PATCH endpoint, and the value is returned verbatim by the public shared-view meta endpoint, so no further privilege is required to weaponize a public form share.

Credit

This issue was reported by @kah-ja (turingpoint.de).

Impact

  • Same-origin script execution in the viewer's NocoDB tab. The payload runs in the NocoDB origin and can read the session token at localStorage["nocodb-gui-v2"].token.
  • Action under the viewer's identity. With the token, an attacker can call authenticated APIs as the viewer, scoped to whatever workspaces, bases, and operations that viewer is permitted to use.
  • Single-click viewer flow. Form share-links are the intended distribution channel for forms, so the phishing surface is on-brand; the form can be configured with a single hidden pre-filled required field to reduce the viewer flow to one click.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

nocodb (<= 2026.05.0)

Security releases

nocodb → 2026.05.1 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade nocodb to 2026.05.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-47387? CVE-2026-47387 is a high-severity cross-site scripting (XSS) vulnerability in nocodb (npm), affecting versions <= 2026.05.0. It is fixed in 2026.05.1. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which versions of nocodb are affected by CVE-2026-47387? nocodb (npm) versions <= 2026.05.0 is affected.
  3. Is there a fix for CVE-2026-47387? Yes. CVE-2026-47387 is fixed in 2026.05.1. Upgrade to this version or later.
  4. Is CVE-2026-47387 exploitable, and should I be worried? Whether CVE-2026-47387 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-47387 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-47387? Upgrade nocodb to 2026.05.1 or later.

Other vulnerabilities in nocodb

CVE-2026-53931CVE-2026-53930CVE-2026-53929CVE-2026-53928CVE-2026-53927

Stop the waste.
Protect your environment with Kodem.