High severity8.2NVD Advisory· Published Apr 10, 2026· Updated Apr 27, 2026
CVE-2026-40163
CVE-2026-40163
Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@saltcorn/servernpm | < 1.4.5 | 1.4.5 |
@saltcorn/servernpm | >= 1.5.0-beta.0, < 1.5.5 | 1.5.5 |
@saltcorn/servernpm | >= 1.6.0-alpha.0, < 1.6.0-beta.4 | 1.6.0-beta.4 |
Affected products
22cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*range: <1.4.5
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-32pv-mpqg-h292ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40163ghsaADVISORY
News mentions
0No linked articles in our index yet.