CVE-2025-27506: NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting.
References
- github.com/advisories/GHSA-wf6c-hrhf-86cw
- github.com/nocodb/nocodb
- github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts
- github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts
- github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723
- github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw
- nvd.nist.gov/vuln/detail/CVE-2025-27506
Code Behaviors & Features
Detect and mitigate CVE-2025-27506 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →