Cross-Origin Navigation Vulnerability in Saltcorn Database Application Builder
CVE-2026-42259

5.1MEDIUM

Key Information:

Vendor: Saltcorn
Status: Saltcorn
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-42259?

Saltcorn, a no-code database application builder, has a vulnerability that allows cross-origin navigation due to improper validation of the post-login destination parameter. In versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, the validation only blocks certain characters, enabling an attacker to exploit the flaw. When a crafted link is accessed, the application emits a malicious payload through the HTTP Location header, leading unsuspecting users to an attacker-controlled domain after login. This issue affects default installations and requires user interaction to exploit, underlining the need for immediate updates to the patched versions.

Affected Version(s)

saltcorn < 1.4.6 < 1.4.6

saltcorn >= 1.5.0-beta.0, < 1.5.6 < 1.5.0-beta.0, 1.5.6

saltcorn >= 1.6.0-alpha.0, < 1.6.0-beta.5 < 1.6.0-alpha.0, 1.6.0-beta.5

References

https://github.com/saltcorn/saltcorn/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42259 Data

JSON