Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)_CVE-2026-41478

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

AI Analysis

SQL injection vulnerability in Saltcorn's mobile-sync routes

Basic Information

ID CVE-2026-41478

Source GitHub_M

Published Apr 24, 2026 at 20:52

Affected Product

Vendor saltcorn

Product saltcorn

Version < 1.4.6

Affected Versions saltcorn saltcorn < 1.4.6
saltcorn saltcorn >= 1.5.0-beta.0, < 1.5.6
saltcorn saltcorn >= 1.6.0-alpha.0, < 1.6.0-beta.5

CWE Classification

CWE-89

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor Saltcorn

Product Saltcorn

Version < 1.4.6, < 1.5.6, < 1.6.0-beta.5

References

github.com /saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

{
    "lastseen": "",
    "description": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.",
    "published": "2026-04-24T20:52:30.670Z",
    "modified": "2026-04-24T20:52:30.670Z",
    "type": "cve",
    "title": "Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)",
    "source": "GitHub_M",
    "references": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh",
    "id": "CVE-2026-41478",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "saltcorn saltcorn < 1.4.6\nsaltcorn saltcorn >= 1.5.0-beta.0, < 1.5.6\nsaltcorn saltcorn >= 1.6.0-alpha.0, < 1.6.0-beta.5",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "saltcorn",
    "version": "< 1.4.6",
    "vendor": "saltcorn",
    "ai_description": "SQL injection vulnerability in Saltcorn's mobile-sync routes",
    "ai_severity": "Critical",
    "ai_vendor": "Saltcorn",
    "ai_product": "Saltcorn",
    "ai_version": "< 1.4.6, < 1.5.6, < 1.6.0-beta.5",
    "ai_score": 10
}