Saltcorn SQL Injection (CVE-2026-41478) Exposes Sensitive Data
The National Vulnerability Database has identified a critical SQL injection vulnerability, CVE-2026-41478, impacting Saltcorn, an open-source no-code database application builder. This flaw, present in versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, allows any authenticated low-privilege user with read access to a table to execute arbitrary SQL commands via sync parameters. This grants attackers the ability to exfiltrate sensitive data, including admin password hashes and configuration secrets, and potentially modify or destroy the database.
This vulnerability carries a CVSS score of 9.9 (CRITICAL), highlighting the severe risk it poses. Attackers can leverage this weakness remotely with minimal privileges to achieve full database compromise. The implications are significant for organizations relying on Saltcorn for application development, as it could lead to complete data exposure and operational disruption.
What This Means For You
- If your organization uses Saltcorn, immediately update to a patched version (1.4.6, 1.5.6, or 1.6.0-beta.5 or later) to mitigate CVE-2026-41478. Audit your Saltcorn instances for any unauthorized access or data exfiltration attempts through sync routes.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41478 Saltcorn SQL Injection via Mobile Sync
title: CVE-2026-41478 Saltcorn SQL Injection via Mobile Sync
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
Detects SQL injection attempts targeting Saltcorn's mobile-sync endpoint by looking for specific URI paths and query parameters containing SQL keywords like SELECT, FROM, and WHERE. This is the primary vector for CVE-2026-41478, allowing authenticated low-privilege users to exfiltrate sensitive data.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41478/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/mobile-sync'
cs-uri-query|contains:
- 'sync_params'
cs-uri-query|contains:
- 'SELECT'
cs-uri-query|contains:
- 'FROM'
cs-uri-query|contains:
- 'WHERE'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41478 | Vulnerability | CVE-2026-41478 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 25, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42171: NSIS Privilege Escalation Vulnerability
CVE-2026-42171 — NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to...
CVE-2026-41481 — Server-Side Request Forgery
CVE-2026-41481 — LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then...
CVE-2026-41248: Clerk Auth Bypass Exposes Critical Web Applications
CVE-2026-41248 — Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests,...