EUVD-2026-21517
GHSA-32pv-mpqg-h292
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
4Tags
Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
Analysis
Unauthenticated path traversal in Saltcorn no-code application builder enables remote attackers to write arbitrary JSON files and create directories anywhere on the server filesystem via /sync/offline_changes endpoint, and read JSON files plus list directory contents via /sync/upload_finished endpoint. Affects Saltcorn versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Saltcorn instances in production and document their current versions. Within 7 days: Update affected Saltcorn deployments to version 1.4.5, 1.5.5, or 1.6.0-beta.4 or later, or implement network-level access controls restricting the /sync/offline_changes and /sync/upload_finished endpoints. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today