DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CR3W-CW5W-H3FJ: Saltcorn's Salty Surprise: From Reflected XSS to Root Shell in One Click

#security #cve #cybersecurity #ghsa

Saltcorn's Salty Surprise: From Reflected XSS to Root Shell in One Click

Vulnerability ID: GHSA-CR3W-CW5W-H3FJ
CVSS Score: 9.6
Published: 2026-01-26

A lethal combination of Reflected Cross-Site Scripting (XSS) and OS Command Injection in the Saltcorn no-code platform allows unauthenticated attackers to achieve Remote Code Execution (RCE) by tricking an administrator into clicking a single link.

TL;DR

Saltcorn, an open-source no-code builder, contained a critical exploit chain. A trivial Reflected XSS vulnerability in the admin interface served as the entry point to trigger a Command Injection flaw in the backup functionality. By sending a crafted link to a logged-in administrator, an attacker could force the server to execute arbitrary shell commands with the privileges of the application (often root in Docker environments).

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (Admin Interaction Required)
  • CVSS Score: 9.6 (Critical)
  • CWE IDs: CWE-78 (OS Command Injection), CWE-79 (XSS)
  • Vulnerability Type: Chained 1-Click RCE
  • Key Component: child_process.exec
  • Patch Date: 2026-01-13

Affected Systems

  • Saltcorn (Docker images)
  • Saltcorn (npm package)
  • Saltcorn < 1.3.0 (Command Injection)
  • Saltcorn < 1.1.1 (Reflected XSS)
  • Saltcorn: >= 1.3.0 (Fixed in: Post-Jan 2026 Releases)

Code Analysis

Commit: 1bf681e

Fix command injection in backup and add global param escaping

- exec(cmd, { cwd: folder }...
+ spawn("zip", args, { cwd: folder }...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update Saltcorn to the latest version immediately.
  • Restrict access to the /admin interface using a VPN or IP allowlist.
  • Deploy a WAF to detect and block common shell injection patterns (e.g., $(...), ;, |).

Remediation Steps:

  1. Pull the latest Docker image or update the npm package.
  2. Verify that the underscore dependency is updated to at least 1.13.7.
  3. Check logs for failed backup attempts containing suspicious characters in the password field.

References

Read the full report for GHSA-CR3W-CW5W-H3FJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)