XSS in Nocodb
CVE-2026-47376
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fix…
Vulnerability class: XSS (Cross-Site Scripting)
Affected products
- Nocodb — versions < 2026.04.1
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)