GHSA-jp74-mfrx-3qvh: Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

April 16, 2026

Saltcorn’s mobile-sync routes (POST /sync/load_changes and POST /sync/deletes) interpolate user-controlled values directly into SQL template literals without parameterization, type-casting, or sanitization. Any authenticated user (role_id ≥ 80, the default “user” role) who has read access to at least one table can inject arbitrary SQL, exfiltrate the entire database including admin password hashes, enumerate all table schemas, and—on a PostgreSQL-backed instance—execute write or DDL operations.

References

github.com/advisories/GHSA-jp74-mfrx-3qvh
github.com/saltcorn/saltcorn
github.com/saltcorn/saltcorn/security/advisories/GHSA-jp74-mfrx-3qvh

Code Behaviors & Features

Detect and mitigate GHSA-jp74-mfrx-3qvh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →