What is the CVSS score of CVE-2026-40163?

CVE-2026-40163 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Saltcorn are affected by CVE-2026-40163?

Saltcorn versions prior to 1.4.5 and specific beta releases contain a remote, unauthenticated path traversal vulnerability in mobile sync endpoints that allows attackers to write arbitrary files and…. A patch is available.

How to fix or mitigate CVE-2026-40163?

Within 24 hours: Identify all Saltcorn instances in your environment and document their current versions. Within 7 days: Upgrade to Saltcorn 1.4.5 or later (latest stable 1.5.x or 1.6.x release depending on your deployment). If immediate upgrade is not feasible, disable or restrict network access to mobile sync endpoints via web application firewall or load balancer rules. Within 30 days: Complete testing and deploy patched version to all production and non-production Saltcorn instances; verify no unauthorized files were written during the vulnerability window by reviewing filesystem integrity logs.

Saltcorn CVE-2026-40163

EUVD-2026-21517 HIGH

Path Traversal (CWE-22)

2026-04-10 GitHub_M

GHSA-32pv-mpqg-h292

Path Traversal

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 27, 2026 - 13:42 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 27, 2026 - 13:37 vuln.today

cvss_changed

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 18:00 euvd

EUVD-2026-21517

Analysis Generated

Apr 10, 2026 - 18:00 vuln.today

CVE Published

Apr 10, 2026 - 17:07 nvd

HIGH 8.2

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 npm packages depend on @saltcorn/server (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.5.0-beta.0.

DescriptionNVD

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.

AnalysisAI

Path traversal in Saltcorn's mobile sync endpoints enables remote unauthenticated attackers to write arbitrary JSON files and create directories anywhere on the server filesystem, plus read directory listings and JSON file contents. Affects all versions before 1.4.5, 1.5.0-beta.0 through 1.5.4, and 1.6.0-alpha.0 through 1.6.0-beta.3. …

RemediationAI

Within 24 hours: Identify all Saltcorn instances in your environment and document their current versions. Within 7 days: Upgrade to Saltcorn 1.4.5 or later (latest stable 1.5.x or 1.6.x release depending on your deployment). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40163 vulnerability details – vuln.today

Back

Saltcorn CVE-2026-40163

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code