CVE-2026-47376
MediumCVSS 5.1Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
NocoDB prior to version 2026.04.1 had a vulnerability in the password-reset page that rendered the URL token directly into JavaScript string literals. A crafted token could break out of the JS string context and execute attacker-controlled script.
Risk Assessment
An attacker could exploit this vulnerability by tricking a victim into clicking a malicious password-reset link, leading to unauthorized code execution in the context of NocoDB.
Recommendation
It is recommended to update NocoDB to version 2026.04.1 or later to mitigate this vulnerability.
Original NVD description (English source)
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.

