Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS "<%= %>" HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link. Details The vulnerable template embedded the token as: token: '<%= token %>', A token containing "';alert(document.cookie);//" closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute ("data-token="…"") and reads it from "dataset.token" at runtime, so EJS's HTML-entity escaping is sufficient. Impact - Reflected XSS in the NocoDB origin via a phished password-reset URL. - No authentication required to trigger; affects any user who clicks the crafted link. - Same-origin script can read auth state and act on the victim's behalf. Credit This issue was reported by "@fg0x0" (https://github.com/fg0x0).