Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-27506 PoC — NocoDB 跨站脚本漏洞

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-27506.yaml
Associated Vulnerability
Title:NocoDB 跨站脚本漏洞 (CVE-2025-27506)
Description:NocoDB是一个开源 Airtable 替代品。将任何 MySql、PostgreSql、Sql Server、Sqlite 和 MariaDb 转换为智能电子表格。 NocoDB 0.258.0之前版本存在跨站脚本漏洞,该漏洞源于密码重置功能相关的API端点容易受到反射型跨站脚本攻击。
Description
NocoDB versions before 0.258.0 contain a reflected cross-site scripting caused by insecure use of '\u003C%-' in resetPassword.ts, letting attackers execute malicious scripts in victims' browsers, exploit requires sending crafted requests to /api/v1/db/auth/password/reset/:tokenId.
File Snapshot

 id: CVE-2025-27506

info:
  name: NocoDB < 0.258.0 - Reflected XSS in Password Reset
  author: 0x_Ak

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.