Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.
CVSS VectorVendor: https://github.com/nocodb/nocodb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Summary
The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.
Details
The vulnerable template embedded the token as:
token: '<%= token %>',A token containing ';alert(document.cookie);// closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (data-token="…") and reads it from dataset.token at runtime, so EJS's HTML-entity escaping is sufficient.
Impact
- Reflected XSS in the NocoDB origin via a phished password-reset URL.
- No authentication required to trigger; affects any user who clicks the crafted link.
- Same-origin script can read auth state and act on the victim's behalf.
Credit
This issue was reported by @fg0x0.
AnalysisAI
Reflected XSS in NocoDB's password-reset flow allows an unauthenticated attacker to execute arbitrary JavaScript in the victim's browser within the NocoDB origin by sending a crafted password-reset link. The vulnerability stems from the EJS server-side template rendering the reset token directly into a JavaScript string literal without escaping single quotes or backslashes, enabling string-context escape. Any NocoDB instance running versions prior to 2026.04.1 is affected; no public exploit identified at time of analysis, though the advisory includes a functional proof-of-concept payload.
Technical ContextAI
NocoDB (pkg:npm/nocodb) uses the EJS templating engine for server-rendered HTML pages. EJS's default output tag (<%= %>) applies HTML entity encoding to a limited character set - specifically angle brackets, ampersands, and double quotes - but does NOT escape single quotes or backslashes. The vulnerable password-reset template embedded the URL-supplied token directly inside a JavaScript string literal delimited by single quotes: token: '<%= token %>',. Because EJS does not sanitize single quotes in this context, an attacker-supplied token containing ';alert(document.cookie);// terminates the string, injects executable JavaScript, and comments out the remainder of the line. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause class: user-controlled data flows into an executable code context without context-appropriate escaping. The fix correctly separates data from code by moving the token into an HTML data attribute (data-token="..."), where EJS HTML-entity encoding is sufficient, and reading it via dataset.token at runtime.
RemediationAI
Upgrade NocoDB to version 2026.04.1 or later, which resolves the vulnerability by moving the reset token from a JavaScript string literal into an HTML data attribute, making EJS's default HTML entity encoding sufficient to prevent injection. The patched release is available at https://github.com/nocodb/nocodb/releases/tag/2026.04.1. If an immediate upgrade is not possible, a specific compensating control is to configure a reverse proxy or WAF rule to reject or sanitize password-reset requests where the token parameter contains single quotes, backslashes, or JavaScript-significant characters such as semicolons and parentheses - though this approach may inadvertently block legitimate tokens if the token character space is not well-defined. A second compensating control is to disable the password-reset-by-email feature entirely if it is not operationally required, removing the attack surface. Both workarounds carry operational trade-offs: the WAF rule may cause false positives, and disabling password reset forces manual admin intervention for credential recovery.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38627
GHSA-6xcx-7qmg-vjfq