Medium severityGHSA Advisory· Published May 7, 2026· Updated May 8, 2026

CVE-2026-42259

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@saltcorn/servernpm	< 1.4.6	1.4.6
@saltcorn/servernpm	>= 1.5.0-beta.0, < 1.5.6	1.5.6
@saltcorn/servernpm	>= 1.6.0-alpha.0, < 1.6.0-beta.5	1.6.0-beta.5

Affected products

Saltcorn/SaltcornGHSA
Range: >= 1.6.0-alpha.0, < 1.6.0-beta.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-f3g8-9xv5-77gvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42259ghsaADVISORY
github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gvnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000