VYPR

Saltcorn

by Saltcorn

Source repositories

CVEs (4)

  • CVE-2026-41478CriApr 24, 2026
    risk 0.57cvss 9.9epss 0.00

    Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject…

  • CVE-2026-40163HigApr 10, 2026
    risk 0.46cvss 8.2epss 0.00

    Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with…

  • CVE-2024-47818MedOct 7, 2024
    risk 0.35cvss 6.5epss 0.01

    Saltcorn is an extensible, open source, no-code database application builder. A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_name` POST parameter is not validated/sanitized and is used to…

  • CVE-2026-42259MedMay 7, 2026
    risk 0.33cvss epss 0.00

    Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise…