Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.
Published: 2026-06-23
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NocoDB is a software platform for building databases as spreadsheets. Prior to the 2026.04.1 release, its password‑reset page rendered a URL token directly into a JavaScript string literal within a server‑rendered EJS template. The EJS <%= %> construct performs HTML‑entity encoding of a limited set of characters but does not escape single quotes or backslashes, allowing an attacker‑crafted token to break out of the JS string context and inject and execute arbitrary script within the NocoDB origin. This flaw is a reflected cross‑site scripting (CWE‑79) vulnerability that can be triggered simply by a victim following a malicious password‑reset link. The issue was addressed in the 2026.04.1 release.

Affected Systems

. The product is NocoDB, any installation running a version older than 2026.04.1 is susceptible. The flaw is located in the password‑reset mechanism before that release.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Exploitation requires only that a target user click a malicious password‑reset link. No elevation of privileges is required, but the impact is fully within the originating domain, enabling data theft or manipulation. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting no publicly exploited variants yet. Nonetheless, because the attack vector is simple, the vulnerability should be remediated with priority.

Generated by OpenCVE AI on June 24, 2026 at 09:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NocoDB to version 2026.04.1 or later.
  • If an upgrade is not immediately possible, disable or restrict the password‑reset functionality until a patch is applied.
  • Review template rendering code to ensure all user‑supplied data is properly escaped for JavaScript contexts and consider configuring a web application firewall to block malicious payloads.

Generated by OpenCVE AI on June 24, 2026 at 09:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6xcx-7qmg-vjfq NocoDB: Reflected Cross-Site Scripting via Password Reset Token
History

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Nocodb
Nocodb nocodb
Vendors & Products Nocodb
Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.
Title NocoDB: Reflected Cross-Site Scripting via Password Reset Token
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:58:16.268Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47376

cve-icon Vulnrichment

Updated: 2026-06-24T13:58:09.984Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')