Vulnerability Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Saltcorn | Saltcorn | < 1.4.6 |
Related Weaknesses (CWE)
References
- https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvhVendor Advisory
- https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvhVendor Advisory
FAQ
What is CVE-2026-41478?
CVE-2026-41478 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authent...
How severe is CVE-2026-41478?
CVE-2026-41478 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-41478?
Check the references section above for vendor advisories and patch information. Affected products include: Saltcorn Saltcorn.