CVE-2026-40163

Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.

INFO

Published Date :

2026-04-10T17:07:49.067Z

Last Modified :

2026-04-10T17:07:49.067Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-40163 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40163.

URL	Resource
https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact