CVE-2026-47376 nocodb CVE debrief

Who should care

Administrators and users of NocoDB, especially those who have not updated to version 2026.04.1, should be aware of this vulnerability. This vulnerability could allow an attacker to execute malicious scripts, potentially leading to unauthorized access or data breaches.

Technical summary

The vulnerability exists in the password-reset page of NocoDB, where the URL token is directly rendered into a JavaScript string literal in an EJS template. EJS's <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes. This allows a crafted token to break out of the JS string context and execute attacker-controlled script in the NocoDB origin. The vulnerability has a CVSS score of 5.1 and is classified as MEDIUM severity.

Defensive priority

Defenders should prioritize updating NocoDB to version 2026.04.1 or later. Additionally, defenders should monitor for suspicious password-reset link activity and ensure that users are aware of the risks associated with following malicious links.

Recommended defensive actions

• Update NocoDB to version 2026.04.1 or later
• Monitor for suspicious password-reset link activity
• Educate users on the risks of following malicious links
• Implement additional security measures, such as input validation and output encoding
• Conduct regular security audits and vulnerability assessments

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional information on the vulnerability, including references to security advisories.

Official resources