CVE-2026-41478 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: April 24, 2026
Saltcorn - SQL Injection
Published: April 24, 2026Updated: April 24, 2026Remote Exploitable
Overview
Saltcorn < 1.4.6, < 1.5.6, and < 1.6.0-beta.5 contains a SQL injection caused by improper sanitization in mobile-sync routes, letting authenticated low-privilege users with read access inject arbitrary SQL, potentially leading to full database compromise.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Authenticated low-privilege users can exfiltrate or modify the entire database, including sensitive admin data and configuration secrets.
Mitigation
Upgrade to versions 1.4.6, 1.5.6, or 1.6.0-beta.5 or later.
Related Resources
Details
- CVE ID
- CVE-2026-41478
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- sql_injection
- Status
- new
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H