logo

Database

Reflected cross-site scripting (XSS) In nocodb

Description

NocoDB: Reflected Cross-Site Scripting via Password Reset Token

Summary

The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.

Details

The vulnerable template embedded the token as:

token: '<%= token %>',

A token containing ';alert(document.cookie);// closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (data-token="…") and reads it from dataset.token at runtime, so EJS's HTML-entity escaping is sufficient.

Impact

    Reflected XSS in the NocoDB origin via a phished password-reset URL.

    No authentication required to trigger; affects any user who clicks the crafted link.

    Same-origin script can read auth state and act on the victim's behalf.

Credit

This issue was reported by @fg0x0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-473762. NVD-2026-473763. OSV-2026-473764. GHSA-6xcx-7qmg-vjfq5. GCVE-2026-47376

References

1. https://github.com/nocodb/nocodb/security/advisories/GHSA-6xcx-7qmg-vjfq2. https://github.com/nocodb/nocodb/releases/tag/2026.04.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-H6D1R – Vulnerability | Fluid Attacks Database