Home / Vulnerability Intelligence / CVE-2026-41478

CVE-2026-41478 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: April 27, 2026

Saltcorn - SQL Injection

Published: April 24, 2026Updated: April 27, 2026Remote Exploitable

Overview

Saltcorn < 1.4.6, < 1.5.6, and < 1.6.0-beta.5 contains a SQL injection caused by improper sanitization in mobile-sync routes, letting authenticated low-privilege users with read access inject arbitrary SQL, potentially leading to full database compromise.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Authenticated low-privilege users can exfiltrate or modify the entire database, including sensitive admin data and configuration secrets.

Mitigation

Upgrade to versions 1.4.6, 1.5.6, or 1.6.0-beta.5 or later.

References

https://github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 24, 2026

🔴 CVE-2026-41478 - Critical (9.9) Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41478/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41478
Severity: Critical
CVSS Score: 9.9
Type: sql_injection
Status: unconfirmed
EPSS: 3.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days