CVE-2026-41478: Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

April 16, 2026 (updated April 27, 2026)

A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters. This can lead to full database exfiltration, including admin password hashes and configuration secrets, and may also enable database modification or destruction depending on the backend.

References

github.com/advisories/GHSA-jp74-mfrx-3qvh
github.com/saltcorn/saltcorn
github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh
nvd.nist.gov/vuln/detail/CVE-2026-41478

Code Behaviors & Features

Detect and mitigate CVE-2026-41478 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →