CVE-2026-41478

Published: Apr 24, 2026Modified: Apr 28, 2026

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.1 / Impact: 6.0

Source: security-advisories@github.com (Secondary)

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

Affected (24)

Products: Saltcorn: Saltcorn

Saltcorn

1 product

Saltcorn

Configuration A

24 vulnerable

Vulnerable Software	Affected Versions
Saltcorn Saltcorn	Before 1.4.6
Saltcorn Saltcorn	From 1.5.0 to 1.5.6
Saltcorn Saltcorn	Version 1.6.0 alpha0
Saltcorn Saltcorn	Version 1.6.0 alpha10
Saltcorn Saltcorn	Version 1.6.0 alpha11
Saltcorn Saltcorn	Version 1.6.0 alpha12
Saltcorn Saltcorn	Version 1.6.0 alpha13
Saltcorn Saltcorn	Version 1.6.0 alpha14
Saltcorn Saltcorn	Version 1.6.0 alpha15
Saltcorn Saltcorn	Version 1.6.0 alpha16
Saltcorn Saltcorn	Version 1.6.0 alpha17
Saltcorn Saltcorn	Version 1.6.0 alpha1
Saltcorn Saltcorn	Version 1.6.0 alpha2
Saltcorn Saltcorn	Version 1.6.0 alpha3
Saltcorn Saltcorn	Version 1.6.0 alpha4
Saltcorn Saltcorn	Version 1.6.0 alpha5
Saltcorn Saltcorn	Version 1.6.0 alpha6
Saltcorn Saltcorn	Version 1.6.0 alpha7
Saltcorn Saltcorn	Version 1.6.0 alpha8
Saltcorn Saltcorn	Version 1.6.0 alpha9
Saltcorn Saltcorn	Version 1.6.0 beta1
Saltcorn Saltcorn	Version 1.6.0 beta2
Saltcorn Saltcorn	Version 1.6.0 beta3
Saltcorn Saltcorn	Version 1.6.0 beta4

Related CWEs

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

Source: security-advisories@github.com

Vendor Advisory

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Vendor Advisory

Timeline

No history available yet.