VYPR
Critical severity9.9NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026

CVE-2026-41478

CVE-2026-41478

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@saltcorn/servernpm
< 1.4.61.4.6
@saltcorn/servernpm
>= 1.5.0-beta.0, < 1.5.61.5.6
@saltcorn/servernpm
>= 1.6.0-alpha.0, < 1.6.0-beta.51.6.0-beta.5

Affected products

24
  • Saltcorn/Saltcorn23 versions
    cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*+ 22 more
    • cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*range: <1.4.6
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta4:*:*:*:*:*:*
  • ghsa-coords
    Range: < 1.4.6

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.