Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

saltcorn

Source -

CNANVD

BOS Name -

N/A

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

2
Related CVEsRelated ProductsRelated AssignersReports
4Vulnerabilities found
CVE-2026-42259
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.05% / 16.77%
||
7 Day CHG+0.01%
Published-07 May, 2026 | 18:54
Updated-08 May, 2026 | 23:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)

Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.

Action-Not Available
Vendor-saltcorn
Product-saltcorn
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-41478
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-10||CRITICAL
EPSS-0.03% / 9.43%
||
7 Day CHG~0.00%
Published-24 Apr, 2026 | 20:52
Updated-28 Apr, 2026 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

Action-Not Available
Vendor-saltcornsaltcorn
Product-saltcornsaltcorn
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40163
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.13% / 32.26%
||
7 Day CHG~0.00%
Published-10 Apr, 2026 | 17:07
Updated-27 Apr, 2026 | 13:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.

Action-Not Available
Vendor-saltcornsaltcorn
Product-saltcornsaltcorn
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-47818
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 42.40%
||
7 Day CHG~0.00%
Published-07 Oct, 2024 | 21:10
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Logged-in users with any role can delete arbitrary files in @saltcorn/server

Saltcorn is an extensible, open source, no-code database application builder. A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_name` POST parameter is not validated/sanitized and is used to construct the `syncDir` that is deleted by calling `fs.rm`. This issue has been addressed in release version 1.0.0-beta16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-saltcornsaltcorn_collective_ltd
Product-saltcornsaltcorn
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')