CVE-2026-47376
NocoDB: Reflected Cross-Site Scripting via Password Reset Token
描述
### Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. ### Details The vulnerable template embedded the token as: ```ejs token: '<%= token %>', ``` A token containing `';alert(document.cookie);//` closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (`data-token="…"`) and reads it from `dataset.token` at runtime, so EJS's HTML-entity escaping is sufficient. ### Impact - Reflected XSS in the NocoDB origin via a phished password-reset URL. - No authentication required to trigger; affects any user who clicks the crafted link. - Same-origin script can read auth state and act on the victim's behalf. ### Credit This issue was reported by [@fg0x0](https://github.com/fg0x0).
如何修補 CVE-2026-47376
要修補 CVE-2026-47376,請將受影響套件升級到下列已修補版本。
- —升級至 2026.04.1 或更新版本
CVE-2026-47376 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-47376 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2026.04.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |