CVE-2026-28358
MEDIUM NUCLEINocoDB < 0.301.3 - User Enumeration via Password Reset Endpoint
Title source: llmExploitation Summary
CVE-2026-28358 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
Nuclei Templates (1)
NocoDB - User Enumeration
MEDIUMby DhiyaneshDk
Shodan:
http.favicon.hash:-2017596142
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nocodb/nocodb/security/advisories/GHSA-387m-j3p9-3php
Release Notes x_refsource_misc
https://github.com/nocodb/nocodb/releases/tag/0.301.3
Scores
CVSS v3
5.3
EPSS
0.0060
EPSS Percentile
70.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-204
Status
published
Products (2)
nocodb/nocodb
< 0.301.3
npm/nocodb
0 - 0.301.3npm
Published
Mar 02, 2026
Tracked Since
Mar 03, 2026