CVE-2026-47376
Deferred Deferred - Pending Action

Stored XSS in NocoDB Password Reset via Unsanitized Token

Vulnerability report for CVE-2026-47376, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nocodb nocodb 2026.04.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in NocoDB versions prior to 2026.04.1. The password-reset page improperly renders the URL token directly into a JavaScript string literal within a server-rendered EJS template. While EJS HTML-entity-encodes certain characters, it does not escape single quotes or backslashes. This allows a crafted token to break out of the JavaScript string context and execute attacker-controlled scripts in the NocoDB origin.

An attacker can exploit this vulnerability by tricking a victim into following a malicious password-reset link containing the crafted token.

This issue was fixed in version 2026.04.1 of NocoDB.

Impact Analysis

This vulnerability can lead to the execution of attacker-controlled scripts within the context of the NocoDB origin. This means an attacker could perform cross-site scripting (XSS) attacks, potentially stealing sensitive information, hijacking user sessions, or performing actions on behalf of the victim.

The attack requires the victim to interact with a malicious password-reset link, which could be delivered via phishing or other social engineering methods.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade NocoDB to version 2026.04.1 or later, where the issue has been fixed.

Additionally, avoid clicking on or following any suspicious password-reset links until the upgrade is applied.

Detection Guidance

This vulnerability can be detected by checking if the NocoDB instance is running a version prior to 2026.04.1 and if the password-reset page is vulnerable to reflected Cross-Site Scripting (XSS) via the URL token parameter.

One way to detect the vulnerability is to send a crafted password-reset URL containing a payload that attempts to break out of the JavaScript string context and execute script. For example, testing with a token parameter that includes single quotes or backslashes to see if the script executes.

Example command using curl to test the password-reset page for XSS:

  • curl -v 'http://<nocodb-host>/password-reset?token='"'><script>alert(1)</script>

If the response contains the injected script or the alert is triggered when visiting the URL in a browser, the vulnerability is present.

Additionally, checking the version of NocoDB running can be done by querying the application or checking the installed package version to confirm if it is prior to 2026.04.1.

Compliance Impact

The provided information does not specify how the CVE-2026-47376 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47376. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart