CVE-2026-47376
Received Received - Intake
Stored XSS in NocoDB Password Reset via Unsanitized Token

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-47376
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb 2026.04.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB versions prior to 2026.04.1. The password-reset page improperly renders the URL token directly into a JavaScript string literal within a server-rendered EJS template. While EJS HTML-entity-encodes certain characters, it does not escape single quotes or backslashes. This allows a crafted token to break out of the JavaScript string context and execute attacker-controlled scripts in the NocoDB origin.

An attacker can exploit this vulnerability by tricking a victim into following a malicious password-reset link containing the crafted token.

This issue was fixed in version 2026.04.1 of NocoDB.

Impact Analysis

This vulnerability can lead to the execution of attacker-controlled scripts within the context of the NocoDB origin. This means an attacker could perform cross-site scripting (XSS) attacks, potentially stealing sensitive information, hijacking user sessions, or performing actions on behalf of the victim.

The attack requires the victim to interact with a malicious password-reset link, which could be delivered via phishing or other social engineering methods.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.04.1 or later, where the issue has been fixed.

Additionally, avoid clicking on or following any suspicious password-reset links until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47376. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart