Skip to main content

Saltcorn CVE-2026-40163

| EUVDEUVD-2026-21517 HIGH
Path Traversal (CWE-22)
2026-04-10 GitHub_M GHSA-32pv-mpqg-h292
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 27, 2026 - 13:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 27, 2026 - 13:37 vuln.today
cvss_changed
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 10, 2026 - 18:00 euvd
EUVD-2026-21517
Analysis Generated
Apr 10, 2026 - 18:00 vuln.today
CVE Published
Apr 10, 2026 - 17:07 nvd
HIGH 8.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on @saltcorn/server (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.5.0-beta.0.

DescriptionGitHub Advisory

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.

AnalysisAI

Path traversal in Saltcorn's mobile sync endpoints enables remote unauthenticated attackers to write arbitrary JSON files and create directories anywhere on the server filesystem, plus read directory listings and JSON file contents. Affects all versions before 1.4.5, 1.5.0-beta.0 through 1.5.4, and 1.6.0-alpha.0 through 1.6.0-beta.3. Publicly available exploit code exists (SSVC: POC status), with EPSS probability of 0.08% (23rd percentile) indicating low widespread exploitation likelihood despite the critical impact. The vulnerability enables direct filesystem manipulation without authentication, though confidentiality impact is rated low (CVSS C:L) as only JSON files and directory listings are readable.

Technical ContextAI

Saltcorn is a no-code database application builder written in Node.js. The vulnerability stems from improper path validation (CWE-22: Path Traversal) in two mobile synchronization API endpoints. The POST /sync/offline_changes endpoint fails to sanitize user-supplied path parameters before writing changes.json files, allowing directory traversal sequences (../) to escape intended directories. Similarly, GET /sync/upload_finished lacks path validation when reading directory contents and JSON files. These endpoints are part of Saltcorn's offline-first mobile sync feature, which appears to have been designed without authentication requirements or filesystem access controls. The affected component is the web application server layer that handles HTTP requests to these specific routes, not the underlying database or file storage system itself.

RemediationAI

Upgrade immediately to patched versions: 1.4.5 for the stable 1.4.x branch, 1.5.5 for the 1.5.x series, or 1.6.0-beta.4 for users on 1.6 preview builds. Patches are available from the official Saltcorn GitHub repository and NPM registry. If immediate patching is not possible, implement network-level access controls to restrict the /sync/offline_changes and /sync/upload_finished endpoints to authenticated sessions only via reverse proxy rules (e.g., nginx location blocks requiring valid session cookies) - note this will break offline mobile sync functionality for legitimate users until patching is completed. Alternatively, disable the mobile sync feature entirely if not required for your deployment by removing or commenting out the sync route handlers in the application configuration, though this requires code modification and may not survive application restarts. Monitor web server access logs for POST requests to /sync/offline_changes and GET requests to /sync/upload_finished from unexpected IP addresses or containing directory traversal patterns (../, ..\ sequences) as indicators of exploitation attempts. Conduct filesystem integrity checks to identify any unauthorized changes.json files or directories created outside expected application data paths. Refer to the GitHub security advisory at https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292 for additional vendor guidance.

Share

CVE-2026-40163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy