CVE-2026-41478 CRITICAL

CVE-2026-41478: Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Vendor Saltcorn

Product saltcorn

Weakness CWE-89 · SQLi

Published April 24, 2026

Last update April 27, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

Key dates

02Disclosure timeline

April 24, 2026 CVE published

April 27, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41478

Related vulnerabilities

Identifiers

CVE CVE-2026-41478

CWE CWE-89

CVSS 10.0 / CRITICAL

Affected versions

Vendor Saltcorn

Product saltcorn

Affected < 1.4.6

Vendor Saltcorn

Product saltcorn

Affected >= 1.5.0-beta.0, < 1.5.6

Vendor Saltcorn

Product saltcorn

Affected >= 1.6.0-alpha.0, < 1.6.0-beta.5

CVE-2026-41478: Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

01Description

02Disclosure timeline

03References

04Related CVE