ReportizFlow
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Saltcorn |
|
Configuration 1 [-]
|
No data.
References
History
Tue, 28 Apr 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:* cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta4:*:*:*:*:*:* |
Mon, 27 Apr 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Saltcorn
Saltcorn saltcorn |
|
| Vendors & Products |
Saltcorn
Saltcorn saltcorn |
Mon, 27 Apr 2026 14:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 24 Apr 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5. | |
| Title | Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) | |
| Weaknesses | CWE-89 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-04-24T20:52:30.670Z
Updated: 2026-04-27T13:34:34.775Z
Reserved: 2026-04-20T16:14:19.005Z
Link: CVE-2026-41478
Vulnrichment
Updated: 2026-04-27T13:10:54.104Z
NVD
Status : Analyzed
Published: 2026-04-24T21:16:19.353
Modified: 2026-04-28T14:58:44.380
Link: CVE-2026-41478
Redhat
No data.