CVE-2026-41478

EUVD-2026-25633

24.04.2026, 21:16

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

SQL Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Affected Products (NVD)

Vendor	Product	Version
saltcorn	saltcorn	𝑥 < 1.4.6
saltcorn	saltcorn	1.5.0 ≤ 𝑥 < 1.5.6
saltcorn	saltcorn	1.6.0:alpha0
saltcorn	saltcorn	1.6.0:alpha1
saltcorn	saltcorn	1.6.0:alpha10
saltcorn	saltcorn	1.6.0:alpha11
saltcorn	saltcorn	1.6.0:alpha12
saltcorn	saltcorn	1.6.0:alpha13
saltcorn	saltcorn	1.6.0:alpha14
saltcorn	saltcorn	1.6.0:alpha15
saltcorn	saltcorn	1.6.0:alpha16
saltcorn	saltcorn	1.6.0:alpha17
saltcorn	saltcorn	1.6.0:alpha2
saltcorn	saltcorn	1.6.0:alpha3
saltcorn	saltcorn	1.6.0:alpha4
saltcorn	saltcorn	1.6.0:alpha5
saltcorn	saltcorn	1.6.0:alpha6
saltcorn	saltcorn	1.6.0:alpha7
saltcorn	saltcorn	1.6.0:alpha8
saltcorn	saltcorn	1.6.0:alpha9
saltcorn	saltcorn	1.6.0:beta1
saltcorn	saltcorn	1.6.0:beta2
saltcorn	saltcorn	1.6.0:beta3
saltcorn	saltcorn	1.6.0:beta4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh