Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE
- Severity:
- High
Description
- There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.
- Additionally, there is a Command Injection vulnerability in GET /admin/backup.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.1.1, < 1.5.0-beta.19
- Patched version(s): 1.5.0-beta.19
References
Related Issues
- @saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability
- Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page - Vulnerability
- appium-desktop OS Command Injection vulnerability - CVE-2023-2479
- Command Injection Vulnerability in systeminformation (GHSA-m57p-p67h-mq74) - CVE-2020-26274
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on January 26, 2026