Skip to main content

Saltcorn

2 CVEs product

Monthly

CVE-2026-41478 npm CRITICAL PATCH GHSA Act Now

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

SQLi Saltcorn
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-40163 npm HIGH PATCH GHSA This Week

Path traversal in Saltcorn's mobile sync endpoints enables remote unauthenticated attackers to write arbitrary JSON files and create directories anywhere on the server filesystem, plus read directory listings and JSON file contents. Affects all versions before 1.4.5, 1.5.0-beta.0 through 1.5.4, and 1.6.0-alpha.0 through 1.6.0-beta.3. Publicly available exploit code exists (SSVC: POC status), with EPSS probability of 0.08% (23rd percentile) indicating low widespread exploitation likelihood despite the critical impact. The vulnerability enables direct filesystem manipulation without authentication, though confidentiality impact is rated low (CVSS C:L) as only JSON files and directory listings are readable.

Path Traversal Saltcorn
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

SQLi Saltcorn
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Path traversal in Saltcorn's mobile sync endpoints enables remote unauthenticated attackers to write arbitrary JSON files and create directories anywhere on the server filesystem, plus read directory listings and JSON file contents. Affects all versions before 1.4.5, 1.5.0-beta.0 through 1.5.4, and 1.6.0-alpha.0 through 1.6.0-beta.3. Publicly available exploit code exists (SSVC: POC status), with EPSS probability of 0.08% (23rd percentile) indicating low widespread exploitation likelihood despite the critical impact. The vulnerability enables direct filesystem manipulation without authentication, though confidentiality impact is rated low (CVSS C:L) as only JSON files and directory listings are readable.

Path Traversal Saltcorn
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy