CVE-2026-47376 - Vulnerability Details

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.

Published: 2026-06-23

Score: 5.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the password‑reset page of NocoDB, where a token from the URL is directly inserted into a JavaScript string literal within an EJS template. Because EJS's <%= %> encoders only escape a limited set of characters and do not escape single quotes or backslashes, an attacker can craft a token that terminates the string and injects malicious script executed in the victim’s browser under the NocoDB domain. This is a reflected cross‑site scripting flaw (CWE‑79) that can lead to session hijacking, data theft, or unauthorized actions, and is fixed in version 2026.04.1.

Affected Systems

Affected vendor NocoDB. The product is NocoDB, any installation running a version older than 2026.04.1 is susceptible. The flaw is located in the password‑reset mechanism before that release.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Exploitation requires only that a target user click a malicious password‑reset link. No elevation of privileges is required, but the impact is fully within the originating domain, enabling data theft or manipulation. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting no publicly exploited variants yet. Nonetheless, because the attack vector is simple, the vulnerability should be remediated with priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nocodb

affected

Version	Status	Constraints
`< 2026.04.1`	affected	—

No data.

Vendor Product Confidence Versions

Nocodb

100%

Version	Status	Scheme	Platform
`[0,2026.04.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NocoDB to version 2026.04.1 or later.
If an upgrade is not immediately possible, disable or restrict the password‑reset functionality until a patch is applied.
Review template rendering code to ensure all user‑supplied data is properly escaped for JavaScript contexts and consider configuring a web application firewall to block malicious payloads.

Generated by OpenCVE AI on June 24, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6xcx-7qmg-vjfq	NocoDB: Reflected Cross-Site Scripting via Password Reset Token

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/nocodb/nocodb/security/advisories/GHSA-6xcx-7qmg-vjfq

History

Wed, 24 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nocodb Nocodb nocodb
Vendors & Products		Nocodb Nocodb nocodb

Tue, 23 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.
Title		NocoDB: Reflected Cross-Site Scripting via Password Reset Token
Weaknesses		CWE-79
References		https://github.com/nocodb/nocodb/security/advisories/GHSA-6xcx-7qmg-vjfq
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Nocodb Nocodb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T20:35:37.248Z

Updated: 2026-06-23T20:35:37.248Z

Reserved: 2026-05-19T19:22:45.728Z

Link: CVE-2026-47376

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T03:00:14Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object