Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE
- Severity:
- High
Description
- There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.
- Additionally, there is a Command Injection vulnerability in GET /admin/backup.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.1.1, < 1.5.0-beta.19
- Patched version(s): 1.5.0-beta.19
References
Related Issues
- @saltcorn/server arbitrary file and directory listing when accessing build mobile app results - Vulnerability
- Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability - CVE-2024-47818
- Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page - Vulnerability
- @saltcorn/server arbitrary file zip read and download when downloading auto backups - Vulnerability
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on January 26, 2026