Impact
NocoDB is a software platform for building databases as spreadsheets. Prior to the 2026.04.1 release, its password‑reset page rendered a URL token directly into a JavaScript string literal within a server‑rendered EJS template. The EJS <%= %> construct performs HTML‑entity encoding of a limited set of characters but does not escape single quotes or backslashes, allowing an attacker‑crafted token to break out of the JS string context and inject and execute arbitrary script within the NocoDB origin. This flaw is a reflected cross‑site scripting (CWE‑79) vulnerability that can be triggered simply by a victim following a malicious password‑reset link. The issue was addressed in the 2026.04.1 release.
Affected Systems
. The product is NocoDB, any installation running a version older than 2026.04.1 is susceptible. The flaw is located in the password‑reset mechanism before that release.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. Exploitation requires only that a target user click a malicious password‑reset link. No elevation of privileges is required, but the impact is fully within the originating domain, enabling data theft or manipulation. EPSS is not available and the vulnerability is not listed in CISA KEV, suggesting no publicly exploited variants yet. Nonetheless, because the attack vector is simple, the vulnerability should be remediated with priority.
OpenCVE Enrichment
Github GHSA