@saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler
- Severity:
- Low
Description
The jsexprToSQL() function in Saltcorn converts JavaScript expressions to SQL for use in database constraints. The Literal handler wraps string values in single quotes without escaping embedded single quotes, allowing SQL injection when creating Formula-type table constraints.
Recommendation
Update the @saltcorn/data package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.6.0-alpha.0, < 1.6.0-beta.4 >= 1.5.0, < 1.5.5 < 1.4.5** Patched version(s): **1.6.0-beta.4 1.5.5 1.4.5**
References
Related Issues
- @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
- Veramo is Vulnerable to SQL Injection in Veramo Data Store ORM - Vulnerability
- Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971
- @saltcorn/data: Tenant user role is used for tenant creation role check - Vulnerability
You might also like:
- Tags:
- npm
- @saltcorn/data
Anything's wrong? Let us know Last updated on April 10, 2026


