Loading market data...
← Back to CVE feed

CVE-2026-47376

UNKNOWN View on NVD ↗

Description

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. This vulnerability is fixed in 2026.04.1.

Published: Jun 23, 2026 21:16 UTC Modified: Jun 24, 2026 15:16 UTC