Skip to main content

NocoDB EUVDEUVD-2026-38627

| CVE-2026-47376 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-05 https://github.com/nocodb/nocodb GHSA-6xcx-7qmg-vjfq
5.1
CVSS 4.0 · Vendor: https://github.com/nocodb/nocodb
Share

Severity by source

Vendor (https://github.com/nocodb/nocodb) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/nocodb/nocodb) · only source for this CVE.

CVSS VectorVendor: https://github.com/nocodb/nocodb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 21:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
Jun 05, 2026 - 16:18 vuln.today
Analysis Generated
Jun 05, 2026 - 16:18 vuln.today

DescriptionCVE.org

Summary

The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.

Details

The vulnerable template embedded the token as:

ejs
token: '<%= token %>',

A token containing ';alert(document.cookie);// closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (data-token="…") and reads it from dataset.token at runtime, so EJS's HTML-entity escaping is sufficient.

Impact

  • Reflected XSS in the NocoDB origin via a phished password-reset URL.
  • No authentication required to trigger; affects any user who clicks the crafted link.
  • Same-origin script can read auth state and act on the victim's behalf.

Credit

This issue was reported by @fg0x0.

AnalysisAI

Reflected XSS in NocoDB's password-reset flow allows an unauthenticated attacker to execute arbitrary JavaScript in the victim's browser within the NocoDB origin by sending a crafted password-reset link. The vulnerability stems from the EJS server-side template rendering the reset token directly into a JavaScript string literal without escaping single quotes or backslashes, enabling string-context escape. Any NocoDB instance running versions prior to 2026.04.1 is affected; no public exploit identified at time of analysis, though the advisory includes a functional proof-of-concept payload.

Technical ContextAI

NocoDB (pkg:npm/nocodb) uses the EJS templating engine for server-rendered HTML pages. EJS's default output tag (<%= %>) applies HTML entity encoding to a limited character set - specifically angle brackets, ampersands, and double quotes - but does NOT escape single quotes or backslashes. The vulnerable password-reset template embedded the URL-supplied token directly inside a JavaScript string literal delimited by single quotes: token: '<%= token %>',. Because EJS does not sanitize single quotes in this context, an attacker-supplied token containing ';alert(document.cookie);// terminates the string, injects executable JavaScript, and comments out the remainder of the line. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause class: user-controlled data flows into an executable code context without context-appropriate escaping. The fix correctly separates data from code by moving the token into an HTML data attribute (data-token="..."), where EJS HTML-entity encoding is sufficient, and reading it via dataset.token at runtime.

RemediationAI

Upgrade NocoDB to version 2026.04.1 or later, which resolves the vulnerability by moving the reset token from a JavaScript string literal into an HTML data attribute, making EJS's default HTML entity encoding sufficient to prevent injection. The patched release is available at https://github.com/nocodb/nocodb/releases/tag/2026.04.1. If an immediate upgrade is not possible, a specific compensating control is to configure a reverse proxy or WAF rule to reject or sanitize password-reset requests where the token parameter contains single quotes, backslashes, or JavaScript-significant characters such as semicolons and parentheses - though this approach may inadvertently block legitimate tokens if the token character space is not well-defined. A second compensating control is to disable the password-reset-by-email feature entirely if it is not operationally required, removing the attack surface. Both workarounds carry operational trade-offs: the WAF rule may cause false positives, and disabling password reset forces manual admin intervention for credential recovery.

Share

EUVD-2026-38627 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy