SQL Injection Vulnerability in Saltcorn Database Application Builder
CVE-2026-41478

10CRITICAL

Key Information:

Vendor: Saltcorn
Status: Saltcorn
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41478?

The Saltcorn database application builder is prone to a SQL injection vulnerability in its mobile-sync routes. This issue affects authenticated low-privilege users who have read access to at least one table, enabling them to inject arbitrary SQL through the sync parameters. The exploitation of this vulnerability can lead to the exfiltration of sensitive data, such as admin password hashes and configuration secrets stored in the database. Furthermore, it poses risks of potential modification or destruction of data based on the backend configuration. The issue has been addressed in Saltcorn versions 1.4.6, 1.5.6, and 1.6.0-beta.5.

Affected Version(s)

saltcorn < 1.4.6 < 1.4.6

saltcorn >= 1.5.0-beta.0, < 1.5.6 < 1.5.0-beta.0, 1.5.6

saltcorn >= 1.6.0-alpha.0, < 1.6.0-beta.5 < 1.6.0-alpha.0, 1.6.0-beta.5

References

https://github.com/saltcorn/saltcorn/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41478 Data

JSON