Critical severity9.9NVD Advisory· Published Apr 24, 2026· Updated Apr 28, 2026
CVE-2026-41478
CVE-2026-41478
Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@saltcorn/servernpm | < 1.4.6 | 1.4.6 |
@saltcorn/servernpm | >= 1.5.0-beta.0, < 1.5.6 | 1.5.6 |
@saltcorn/servernpm | >= 1.6.0-alpha.0, < 1.6.0-beta.5 | 1.6.0-beta.5 |
Affected products
24cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*range: <1.4.6
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta4:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-jp74-mfrx-3qvhghsaADVISORY
- github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvhnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41478ghsaADVISORY
News mentions
0No linked articles in our index yet.