CVE-2026-40163

Name of the Vulnerable Software and Affected Versions Saltcorn versions prior to 1.4.5, prior to 1.5.5, and prior to 1.6.0-beta.4.

Description Saltcorn is an extensible, open source, no-code database application builder. Unauthenticated attackers can create arbitrary directories and write attacker-controlled JSON content to files via the POST /sync/offline changes API endpoint. The GET /sync/upload finished API endpoint allows unauthenticated attackers to list arbitrary directory contents and read specific JSON files. The vulnerability stems from a lack of proper path validation in these endpoints, specifically failing to apply the File.normalise in base() function used in other parts of the codebase. The newSyncTimestamp parameter in the POST /sync/offline changes endpoint and the dir name query parameter in the GET /sync/upload finished endpoint are used directly in path.join() without sanitization, allowing path traversal. This could lead to arbitrary file write, directory listing, and potential remote code execution by writing to sensitive paths.

Recommendations Apply File.normalise in base() to the POST /sync/offline changes and GET /sync/upload finished endpoints, mirroring the implementation in the clean sync dir endpoint. Additionally, add loggedIn middleware to endpoints that modify server state.