GHSA-6xcx-7qmg-vjfq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6xcx-7qmg-vjfq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-6xcx-7qmg-vjfq/GHSA-6xcx-7qmg-vjfq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6xcx-7qmg-vjfq
- Aliases
-
- CVE-2026-47376
- Published
- 2026-06-05T15:59:53Z
- Modified
- 2026-06-05T16:15:06.899317079Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- NocoDB: Reflected Cross-Site Scripting via Password Reset Token
- Details
-
Summary
The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS
<%= %>HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.Details
The vulnerable template embedded the token as:
token: '<%= token %>',A token containing
';alert(document.cookie);//closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (data-token="…") and reads it fromdataset.tokenat runtime, so EJS's HTML-entity escaping is sufficient.Impact
- Reflected XSS in the NocoDB origin via a phished password-reset URL.
- No authentication required to trigger; affects any user who clicks the crafted link.
- Same-origin script can read auth state and act on the victim's behalf.
Credit
This issue was reported by @fg0x0.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2026-06-05T15:59:53Z", "severity": "MODERATE" }- References
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb