GHSA-JP74-MFRX-3QVH: GHSA-jp74-mfrx-3qvh: Authenticated SQL Injection in Saltcorn Mobile Sync Endpoints

GHSA-jp74-mfrx-3qvh: Authenticated SQL Injection in Saltcorn Mobile Sync Endpoints

Vulnerability ID: GHSA-JP74-MFRX-3QVH
CVSS Score: 9.9
Published: 2026-04-16

A high-severity SQL injection vulnerability in the Saltcorn @saltcorn/server package allows low-privileged, authenticated users to execute arbitrary SQL commands. The flaw resides in the /sync/load_changes endpoint, where user-controlled input is directly interpolated into database queries without sanitization.

TL;DR

Saltcorn's mobile synchronization endpoints fail to properly sanitize the maxLoadedId parameter. An authenticated user with read access to a single table can exploit this via a crafted JSON payload, resulting in complete database compromise and potential privilege escalation.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-89
• Attack Vector: Network
• CVSS Score: 9.9 (Critical)
• Privileges Required: Low (Authenticated)
• Impact: Total Compromise (Confidentiality, Integrity, Availability)
• Exploit Status: Proof-of-Concept Available

Affected Systems

• Saltcorn Open-Source App Builder
• @saltcorn/server npm package
• @saltcorn/server: < 1.4.6 (Fixed in: 1.4.6)
• @saltcorn/server: >= 1.5.0-beta.0, < 1.5.6 (Fixed in: 1.5.6)
• @saltcorn/server: >= 1.6.0-alpha.0, < 1.6.0-beta.5 (Fixed in: 1.6.0-beta.5)

Exploit Details

• GitHub Advisory Database: Python Proof-of-Concept script demonstrating complete database exfiltration.

Mitigation Strategies

• Upgrade @saltcorn/server to patched versions (1.4.6, 1.5.6, or 1.6.0-beta.5)
• Block or restrict access to /sync/* endpoints via WAF or reverse proxy
• Implement strict Web Application Firewall rules to inspect JSON body parameters for SQL syntax
• Enforce least-privilege principles for the database user assigned to the application

Remediation Steps:

1. Identify the current version of @saltcorn/server in use via npm list @saltcorn/server
2. Update the package dependencies to the respective fixed version based on the active branch
3. Restart the Saltcorn server processes to apply the new package code
4. Monitor application logs for anomalous POST requests to the sync endpoints
5. Rotate application secrets and user passwords if unauthorized access to the endpoints is detected

References

• GitHub Advisory: GHSA-jp74-mfrx-3qvh
• OSV Record: GHSA-jp74-mfrx-3qvh
• Saltcorn Repository

---

Read the full report for GHSA-JP74-MFRX-3QVH on our website for more details including interactive diagrams and full exploit analysis.