Cross-Site Scripting in NocoDB Database Software
CVE-2026-47376

5.1MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-47376?

NocoDB, a database management solution that utilizes spreadsheet-like functionality, faced a security vulnerability prior to version 2026.04.1. This flaw arose from the password-reset page rendering a URL token improperly within a JavaScript string literal in an EJS template. Due to the static HTML character encoding, crafted tokens could manipulate the JavaScript context, resulting in potential execution of malicious scripts. This vulnerability could be exploited simply by enticing users to access a maliciously constructed password-reset link, thus placing sensitive user information at risk. The issue has been addressed in the subsequent release, 2026.04.1.

Affected Version(s)

nocodb < 2026.04.1

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 19, 2026

CVE-2026-47376 Data

JSON

Nocodb

What is CVE-2026-47376?

Affected Version(s)

References

CVSS V4

Timeline