CVE-2026-40163

EUVD-2026-21517

10.04.2026, 18:16

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Affected Products (NVD)

Vendor	Product	Version
saltcorn	saltcorn	𝑥 < 1.4.5
saltcorn	saltcorn	1.5.0 ≤ 𝑥 < 1.5.5
saltcorn	saltcorn	1.6.0:alpha0
saltcorn	saltcorn	1.6.0:alpha1
saltcorn	saltcorn	1.6.0:alpha10
saltcorn	saltcorn	1.6.0:alpha11
saltcorn	saltcorn	1.6.0:alpha12
saltcorn	saltcorn	1.6.0:alpha13
saltcorn	saltcorn	1.6.0:alpha14
saltcorn	saltcorn	1.6.0:alpha15
saltcorn	saltcorn	1.6.0:alpha16
saltcorn	saltcorn	1.6.0:alpha17
saltcorn	saltcorn	1.6.0:alpha2
saltcorn	saltcorn	1.6.0:alpha3
saltcorn	saltcorn	1.6.0:alpha4
saltcorn	saltcorn	1.6.0:alpha5
saltcorn	saltcorn	1.6.0:alpha6
saltcorn	saltcorn	1.6.0:alpha7
saltcorn	saltcorn	1.6.0:alpha8
saltcorn	saltcorn	1.6.0:alpha9
saltcorn	saltcorn	1.6.0:beta1
saltcorn	saltcorn	1.6.0:beta2
saltcorn	saltcorn	1.6.0:beta3

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292