VYPR

npm package

@saltcorn/server

pkg:npm/%40saltcorn/server

Vulnerabilities (4)

  • CVE-2026-42259MedMay 7, 2026
    affected < 1.4.6fixed 1.4.6

    Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backsla

  • CVE-2026-41478CriApr 24, 2026
    affected < 1.4.6fixed 1.4.6

    Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbit

  • CVE-2026-40163HigApr 10, 2026
    affected < 1.4.5fixed 1.4.5

    Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled

  • CVE-2024-47818MedOct 7, 2024
    affected < 1.0.0-beta.16fixed 1.0.0-beta.16

    Saltcorn is an extensible, open source, no-code database application builder. A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_name` POST parameter is not validated/sanitized and is used to constru