CVE-2025-27506

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.258.0

Description The issue concerns a Reflected Cross-Site-Scripting vulnerability in the password reset function of NocoDB. The API endpoint "/api/v1/db/auth/password/reset/:tokenId" is affected. This flaw is caused by the implementation of the client-side template engine ejs, specifically in the file resetPassword.ts, where the template uses the insecure function <%-. The vulnerability is related to the function renderPasswordReset.

Recommendations For versions prior to 0.258.0, update to version 0.258.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint "/api/v1/db/auth/password/reset/:tokenId" until the update is applied.