GHSA-6xcx-7qmg-vjfqMedium

NocoDB: Reflected Cross-Site Scripting via Password Reset Token

Published
June 5, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.

Details

The vulnerable template embedded the token as:

token: '<%= token %>',

A token containing ';alert(document.cookie);// closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (data-token="…") and reads it from dataset.token at runtime, so EJS's HTML-entity escaping is sufficient.

Impact

  • Reflected XSS in the NocoDB origin via a phished password-reset URL.
  • No authentication required to trigger; affects any user who clicks the crafted link.
  • Same-origin script can read auth state and act on the victim's behalf.

Credit

This issue was reported by @fg0x0.

🎯 Affected products1

  • npm/nocodb:< 2026.04.1

🔗 References (3)