What is GHSA-9qgr-6vpg-9gh9?

GHSA-9qgr-6vpg-9gh9 is a security advisory published by GitHub Security Advisories with Medium severity. NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

Which CVE IDs does GHSA-9qgr-6vpg-9gh9 cover?

GHSA-9qgr-6vpg-9gh9 covers the following CVE IDs: CVE-2026-46547. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-9qgr-6vpg-9gh9?

GHSA-9qgr-6vpg-9gh9 has a CVSS v3 base score of 6.1, published by GitHub Security Advisories.

Which products are affected by GHSA-9qgr-6vpg-9gh9?

GHSA-9qgr-6vpg-9gh9 affects 1 product, including: npm/nocodb:\u003c= 0.301.3.

GHSA-9qgr-6vpg-9gh9MediumCVSS 6.1

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

Vendor

GitHub Security Advisories

Published

May 21, 2026

Last Modified

May 21, 2026

🔗 CVE IDs covered (1)

CVE-2026-46547 →

📋 Description

Summary

A reflected XSS vulnerability exists in the Page Leaving Warning page. The ncRedirectUrl and ncBackUrl query parameters are used in window.location.href and <a> tag bindings without validation, allowing javascript: URI injection.

Details

PageLeavingWarning.vue reads ncRedirectUrl and ncBackUrl directly from the route query without validation. When isSameOriginUrl() returns false (as it does for javascript: URIs), the raw URL is assigned to window.location.href, executing arbitrary JavaScript. The redirect URL is also bound directly to an <a> tag's href attribute.

Impact

An attacker can execute arbitrary JavaScript in the context of the NocoDB application by sending a crafted link to a victim. No authentication is required.

NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL

🔗 CVE IDs covered (1)

📋 Description

Summary

Details

Impact

Credit

🎯 Affected products1

🔗 References (2)