CVE Catalog

CVE-2026-47376

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

NocoDB prior to version 2026.04.1 had a vulnerability in the password-reset page that rendered the URL token directly into JavaScript string literals. A crafted token could break out of the JS string context and execute attacker-controlled script.

Risk Assessment

An attacker could exploit this vulnerability by tricking a victim into clicking a malicious password-reset link, leading to unauthorized code execution in the context of NocoDB.

Recommendation

It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this vulnerability.

Original NVD description (English source)

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS