NocoDB: Reflected XSS Vulnerability in Password Reset API Endpoint

In NocoDB versions 0.257.9 and prior a medium severity vulnerability CVE-2025-27506 was detected. This vulnerability allows attackers to exploit a reflected Cross-Site Scripting (XSS) flaw in the /api/v1/db/auth/password/reset/:tokenId API endpoint due to the use of the insecure function “<%-" in the client-side template engine ejs, which is rendered by the function renderPasswordReset. To address this issue, users should upgrade NocoDB to versions 0.258.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27506.