Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)
- Severity:
- High
Description
A critical SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through sync parameters.
Recommendation
Update the @saltcorn/server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.6.0-alpha.0, < 1.6.0-beta.5 >= 1.5.0-beta.0, < 1.5.6 < 1.4.6** Patched version(s): **1.6.0-beta.5 1.5.6 1.4.6**
References
Related Issues
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- Drizzle ORM has SQL injection via improperly escaped SQL identifiers - CVE-2026-39356
- Payload has an SQL Injection via Query Handling - CVE-2026-34747
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
You might also like:
- Tags:
- npm
- @saltcorn/server
Anything's wrong? Let us know Last updated on April 27, 2026