Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)
- Severity:
- Medium
Description
Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.6.0-alpha.0, < 1.6.0-beta.5 >= 1.5.0-beta.0, < 1.5.6 < 1.4.6** Patched version(s): **1.6.0-beta.5 1.5.6 1.4.6**
References
Related Issues
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation - CVE-2026-26019
- Feathers has an open redirect in OAuth callback enables account takeover - CVE-2026-27191
- Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass - CVE-2026-45577
You might also like:
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on May 11, 2026


