Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read

Description

Two unauthenticated path traversal vulnerabilities exist in Saltcorn’s mobile sync endpoints. The POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem.

Recommendation

Update the @saltcorn/server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 1.6.0-alpha.0, < 1.6.0-beta.4

  >= 1.5.0-beta.0, < 1.5.5

  < 1.4.5**

• Patched version(s): **1.6.0-beta.4

  1.5.5

  1.4.5**

References

• GHSA-32pv-mpqg-h292
• CVE-2026-40163
• CWE-22
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
• ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
• Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write - CVE-2026-35214
• Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

Secure Coding 101: How to Read and Write Files Securely

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@saltcorn/server