{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41478", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T16:14:19.005Z", "datePublished": "2026-04-24T20:52:30.670Z", "dateUpdated": "2026-04-27T13:34:34.775Z"}, "containers": {"cna": {"title": "Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"}], "affected": [{"vendor": "saltcorn", "product": "saltcorn", "versions": [{"version": "< 1.4.6", "status": "affected"}, {"version": ">= 1.5.0-beta.0, < 1.5.6", "status": "affected"}, {"version": ">= 1.6.0-alpha.0, < 1.6.0-beta.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T20:52:30.670Z"}, "descriptions": [{"lang": "en", "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5."}], "source": {"advisory": "GHSA-jp74-mfrx-3qvh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:10:53.061661Z", "id": "CVE-2026-41478", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:34:34.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41478", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T13:10:53.061661Z"}}}], "references": [{"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:10:54.104Z"}}], "cna": {"title": "Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)", "source": {"advisory": "GHSA-jp74-mfrx-3qvh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "saltcorn", "product": "saltcorn", "versions": [{"status": "affected", "version": "< 1.4.6"}, {"status": "affected", "version": ">= 1.5.0-beta.0, < 1.5.6"}, {"status": "affected", "version": ">= 1.6.0-alpha.0, < 1.6.0-beta.5"}]}], "references": [{"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh", "name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T20:52:30.670Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41478", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:34:34.775Z", "dateReserved": "2026-04-20T16:14:19.005Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T20:52:30.670Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5."}], "id": "CVE-2026-41478", "lastModified": "2026-04-27T18:57:20.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T21:16:19.353", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0-beta.0,1.5.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0-alpha.0,1.6.0-beta.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "saltcorn", "source": "cna", "vendor": "saltcorn"}, "product": "saltcorn", "vendor": "saltcorn"}], "created": "2026-04-27T20:15:12.103548+00:00", "updated": "2026-04-27T20:15:12.103597+00:00", "vendors": ["saltcorn", "saltcorn$PRODUCT$saltcorn"]}