Critical severity9.9NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026
CVE-2026-41478
CVE-2026-41478
Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@saltcorn/servernpm | < 1.4.6 | 1.4.6 |
@saltcorn/servernpm | >= 1.5.0-beta.0, < 1.5.6 | 1.5.6 |
@saltcorn/servernpm | >= 1.6.0-alpha.0, < 1.6.0-beta.5 | 1.6.0-beta.5 |
Affected products
23cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*range: <1.4.6
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta4:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jp74-mfrx-3qvhghsaADVISORY
- github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvhnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41478ghsaADVISORY
News mentions
0No linked articles in our index yet.