CVE-2026-41478 | Saltcorn is an extensible, open source, no-code database app… | CVSS 10.0 CRITICAL

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

Metadata

CVE ID: CVE-2026-41478
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-20 16:14 UTC
Published: 2026-04-24 20:52 UTC
Last updated: 2026-04-27 13:34 UTC
Primary CWE: CWE-89
CWE-89: Improper Neutralization of Special Elements used in …
Vendor / Product: saltcorn / saltcorn
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
saltcorn	saltcorn	—	< 1.4.6, >= 1.5.0-beta.0, < 1.5.6, >= 1.6.0-alpha.0, < 1.6.0-beta.5

Weakness (CWE)

CWE	Source	Description
CWE-89	cna	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh