Loading market data...
← Back to CVE feed

CVE-2026-47377

UNKNOWN View on NVD ↗

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the client-side hashRedirect plugin called window.location.replace() on a path extracted from the URL hash fragment after only checking hashPath.startsWith('/'). Protocol-relative URLs (//attacker.com/…) also satisfy that check, so a crafted link silently redirected visitors to an attacker-controlled origin. This vulnerability is fixed in 2026.04.1.

Published: Jun 23, 2026 21:16 UTC Modified: Jun 24, 2026 16:16 UTC