CVE-2026-47376
NocoDB: Reflected Cross-Site Scripting via Password Reset Token
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.
| CWE | CWE-79 |
| Vendor | nocodb |
| Product | nocodb |
| Published | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for nocodb nocodb
Be the first to know when new unknown vulnerabilities affecting nocodb nocodb are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
nocodb / nocodb
< 2026.04.1