| CVE |
Severity |
CVSS |
Risk |
Published |
Description |
Impact |
| CVE-2026-41478 |
critical |
9.9 |
9.9 |
1mo ago |
Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) |
|
| CVE-2026-42259 |
medium |
— |
5.5 |
20d ago |
Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass) |
|
| CVE-2026-40163 |
unknown |
— |
— |
2mo ago |
Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read |
|
| CVE-2024-47818 |
unknown |
— |
— |
2y ago |
Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability |
|