VIR Vulnerability Intelligence Relay

CVE-2026-41478

critical
Published 2026-04-24 · Modified 2026-05-05
CVSS v3
9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS v2
VIR risk
9.9

Description

Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Predictions

Exploit likelihood
98%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

Package impact
EcosystemPackageVulnerableFixed
npm npm@saltcorn/server<1.4.61.4.6
npm npm@saltcorn/server>=1.5.0-beta.0,<1.5.61.5.6
npm npm@saltcorn/server>=1.6.0-alpha.0,<1.6.0-beta.51.6.0-beta.5

Application impact
VendorProductVersionsFixed
saltcornsaltcorn{"endExcluding":"1.4.6"}1.4.6
saltcornsaltcorn1.6.0

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.