Search criteria
4 vulnerabilities by saltcorn
CVE-2026-42259 (GCVE-0-2026-42259)
Vulnerability from cvelistv5 – Published: 2026-05-07 18:54 – Updated: 2026-05-08 22:56
VLAI
Title
Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)
Summary
Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.
Severity
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/saltcorn/saltcorn/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42259",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T22:55:52.419958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T22:56:33.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saltcorn",
"vendor": "saltcorn",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.6"
},
{
"status": "affected",
"version": "\u003e= 1.5.0-beta.0, \u003c 1.5.6"
},
{
"status": "affected",
"version": "\u003e= 1.6.0-alpha.0, \u003c 1.6.0-beta.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\\) to forward slashes (/) for special schemes, a payload such as /\\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T18:54:57.234Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv"
}
],
"source": {
"advisory": "GHSA-f3g8-9xv5-77gv",
"discovery": "UNKNOWN"
},
"title": "Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42259",
"datePublished": "2026-05-07T18:54:57.234Z",
"dateReserved": "2026-04-26T11:53:27.705Z",
"dateUpdated": "2026-05-08T22:56:33.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41478 (GCVE-0-2026-41478)
Vulnerability from cvelistv5 – Published: 2026-04-24 20:52 – Updated: 2026-04-27 13:34
VLAI
Title
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
Summary
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
Severity
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/saltcorn/saltcorn/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41478",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T13:10:53.061661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:34:34.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saltcorn",
"vendor": "saltcorn",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.6"
},
{
"status": "affected",
"version": "\u003e= 1.5.0-beta.0, \u003c 1.5.6"
},
{
"status": "affected",
"version": "\u003e= 1.6.0-alpha.0, \u003c 1.6.0-beta.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T20:52:30.670Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
}
],
"source": {
"advisory": "GHSA-jp74-mfrx-3qvh",
"discovery": "UNKNOWN"
},
"title": "Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41478",
"datePublished": "2026-04-24T20:52:30.670Z",
"dateReserved": "2026-04-20T16:14:19.005Z",
"dateUpdated": "2026-04-27T13:34:34.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40163 (GCVE-0-2026-40163)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:07 – Updated: 2026-04-15 14:50
VLAI
Title
Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read
Summary
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
Severity
8.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/saltcorn/saltcorn/security/adv… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40163",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:49:25.336831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:50:01.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saltcorn",
"vendor": "saltcorn",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.5"
},
{
"status": "affected",
"version": "\u003e= 1.5.0-beta.0, \u003c 1.5.5"
},
{
"status": "affected",
"version": "\u003e= 1.6.0-alpha.0, \u003c 1.6.0-beta.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:07:49.067Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292"
}
],
"source": {
"advisory": "GHSA-32pv-mpqg-h292",
"discovery": "UNKNOWN"
},
"title": "Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40163",
"datePublished": "2026-04-10T17:07:49.067Z",
"dateReserved": "2026-04-09T19:31:56.014Z",
"dateUpdated": "2026-04-15T14:50:01.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47818 (GCVE-0-2024-47818)
Vulnerability from cvelistv5 – Published: 2024-10-07 21:10 – Updated: 2024-10-08 14:18
VLAI
Title
Logged-in users with any role can delete arbitrary files in @saltcorn/server
Summary
Saltcorn is an extensible, open source, no-code database application builder. A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_name` POST parameter is not validated/sanitized and is used to construct the `syncDir` that is deleted by calling `fs.rm`. This issue has been addressed in release version 1.0.0-beta16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/saltcorn/saltcorn/security/adv… | x_refsource_CONFIRM |
| https://github.com/saltcorn/saltcorn/commit/3c551… | x_refsource_MISC |
| https://github.com/saltcorn/saltcorn/blob/v1.0.0-… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:saltcorn_collective_ltd:saltcorn:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "saltcorn",
"vendor": "saltcorn_collective_ltd",
"versions": [
{
"lessThan": "1.0.0-beta.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47818",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T14:13:36.451606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T14:18:42.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saltcorn",
"vendor": "saltcorn",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.0-beta.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Saltcorn is an extensible, open source, no-code database application builder. A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_name` POST parameter is not validated/sanitized and is used to construct the `syncDir` that is deleted by calling `fs.rm`. This issue has been addressed in release version 1.0.0-beta16 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T21:10:22.072Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-43f3-h63w-p6f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-43f3-h63w-p6f6"
},
{
"name": "https://github.com/saltcorn/saltcorn/commit/3c551261d0e230635774798009951fa83a07cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saltcorn/saltcorn/commit/3c551261d0e230635774798009951fa83a07cc3a"
},
{
"name": "https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.15/packages/server/routes/sync.js#L337-L346",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.15/packages/server/routes/sync.js#L337-L346"
}
],
"source": {
"advisory": "GHSA-43f3-h63w-p6f6",
"discovery": "UNKNOWN"
},
"title": "Logged-in users with any role can delete arbitrary files in @saltcorn/server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-47818",
"datePublished": "2024-10-07T21:10:22.072Z",
"dateReserved": "2024-10-03T14:06:12.638Z",
"dateUpdated": "2024-10-08T14:18:42.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}