{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40163", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.014Z", "datePublished": "2026-04-10T17:07:49.067Z", "dateUpdated": "2026-04-15T14:50:01.616Z"}, "containers": {"cna": {"title": "Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292"}], "affected": [{"vendor": "saltcorn", "product": "saltcorn", "versions": [{"version": "< 1.4.5", "status": "affected"}, {"version": ">= 1.5.0-beta.0, < 1.5.5", "status": "affected"}, {"version": ">= 1.6.0-alpha.0, < 1.6.0-beta.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:07:49.067Z"}, "descriptions": [{"lang": "en", "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4."}], "source": {"advisory": "GHSA-32pv-mpqg-h292", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T14:49:25.336831Z", "id": "CVE-2026-40163", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:50:01.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40163", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T14:49:25.336831Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:49:42.801Z"}}], "cna": {"title": "Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read", "source": {"advisory": "GHSA-32pv-mpqg-h292", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "saltcorn", "product": "saltcorn", "versions": [{"status": "affected", "version": "< 1.4.5"}, {"status": "affected", "version": ">= 1.5.0-beta.0, < 1.5.5"}, {"status": "affected", "version": ">= 1.6.0-alpha.0, < 1.6.0-beta.4"}]}], "references": [{"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292", "name": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:07:49.067Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40163", "state": "PUBLISHED", "dateUpdated": "2026-04-15T14:50:01.616Z", "dateReserved": "2026-04-09T19:31:56.014Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T17:07:49.067Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*", "matchCriteriaId": "87D06CD8-6A31-44F3-A1DE-D1E2AA8F3274", "versionEndExcluding": "1.4.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:*:*:*:*:*:*:*:*", "matchCriteriaId": "7E3412F3-9513-4A2F-9B81-0CC96A38BDA7", "versionEndExcluding": "1.5.5", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "B9F0B1DA-694D-46DC-B1C3-B013AC4A849C", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "5A1F05CD-57F4-419B-ACA8-D7C9B6368863", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha10:*:*:*:*:*:*", "matchCriteriaId": "EBF44DCF-6989-4E65-97D0-7C8A9260189A", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha11:*:*:*:*:*:*", "matchCriteriaId": "E6666919-896F-4D1D-8225-3E91BAC9F101", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha12:*:*:*:*:*:*", "matchCriteriaId": "B1724AAF-1FDA-402D-94D2-86CF9DD8839C", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha13:*:*:*:*:*:*", "matchCriteriaId": "696855BA-6E8A-4170-8CC9-8C267C85397B", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha14:*:*:*:*:*:*", "matchCriteriaId": "8B954E3D-95F4-49FB-8A3A-1DFAE831EAEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha15:*:*:*:*:*:*", "matchCriteriaId": "E0EEE350-1436-4C28-B0D7-B2EC26CEF65C", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha16:*:*:*:*:*:*", "matchCriteriaId": "DD555EEB-8C7B-4519-8037-3F4E8CDFFA51", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha17:*:*:*:*:*:*", "matchCriteriaId": "12C8A9DD-0E70-4BD2-A0DF-8951757200DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "E8F83440-DA15-4415-B29F-4710021E06A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "0276E1CB-EFFA-47DF-A281-3317F9EA566E", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "399C6A3D-4EC0-498A-98E6-A81E581E8A10", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "9A768259-04EC-4EA7-83E6-F802A43F7F12", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha6:*:*:*:*:*:*", "matchCriteriaId": "9E0E2D7E-96AA-427A-9043-460C8D6C718E", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha7:*:*:*:*:*:*", "matchCriteriaId": "22CA8D18-519C-4DA9-B245-2E2BA6651ED7", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha8:*:*:*:*:*:*", "matchCriteriaId": "E2820DF8-8124-4880-86F4-A262E5E884AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:alpha9:*:*:*:*:*:*", "matchCriteriaId": "2A3A7215-0C13-4611-8846-804853DAA0B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "480F4CEF-4019-41AC-AD7B-8D317619132A", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "CB023AEF-5AEF-4923-9552-028BF47D7119", "vulnerable": true}, {"criteria": "cpe:2.3:a:saltcorn:saltcorn:1.6.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "959C8B5C-080D-48AA-A91A-AC3F50128450", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4."}], "id": "CVE-2026-40163", "lastModified": "2026-04-27T13:36:14.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T18:16:46.233", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.5.0-beta.0,1.5.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.6.0-alpha.0,1.6.0-beta.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "saltcorn", "source": "cna", "vendor": "saltcorn"}, "product": "saltcorn", "vendor": "saltcorn"}], "analysis": {"en": {"generated_at": "2026-04-15T08:51:17.781908+00:00", "value": {"mitigation_remediation": ["Upgrade Saltcorn to the patched releases 1.4.5, 1.5.5, or 1.6.0\u2011beta.4.", "If upgrading cannot be performed immediately, block or restrict access to the /sync/offline_changes and /sync/upload_finished endpoints in the firewall or enforce HTTP authentication to prevent unauthenticated usage.", "Re\u2011configure the filesystem permissions for the directories used by the sync endpoints so that the web server process cannot write outside the intended application data area."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file write and directory read via unauthenticated access to /sync endpoints"}, "threat_synthesis": {"affected_systems": "The issue affects releases of the Saltcorn no\u2011code database builder before version 1.4.5, 1.5.5, and 1.6.0\u2011beta.4. The product is distributed by the Saltcorn project under the vendor name saltcorn.\n", "description_and_impact": "The flaw is a path\u2011traversal vulnerability in Saltcorn\u2019s synchronization API. An unauthenticated attacker can send a crafted POST request to the /sync/offline_changes endpoint and create any directory, then write a changes.json file containing attacker\u2011controlled JSON to an arbitrary location on the server\u2019s filesystem. A separate GET request to /sync/upload_finished allows the attacker to enumerate arbitrary directory contents and read any JSON file. This combination permits unauthorized disclosure of configuration, data, and code, and can lead to overwriting critical files, data loss, or persistence of malicious code.", "risk_and_exploitability": "The CVSS score of 8.2 denotes high severity, and the vulnerability is exploitable by any network user without authentication, making the attack vector network\u2011based. While the EPSS score is reported as less than 1\u202f%, the ease of execution via simple HTTP calls and the lack of authentication requirements means the practical risk is still significant. The vulnerability is not currently listed in CISA\u2019s KEV catalog, but the combination of high severity and unauthenticated access mandates prompt remediation."}}}}, "created": "2026-04-13T12:43:44.345602+00:00", "updated": "2026-04-15T16:00:07.792814+00:00", "vendors": ["saltcorn", "saltcorn$PRODUCT$saltcorn"]}