CVE-2026-42259
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes () to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| saltcorn | saltcorn | < 1.4.6 | affected |
| saltcorn | saltcorn | >= 1.5.0-beta.0, < 1.5.6 | affected |
| saltcorn | saltcorn | >= 1.6.0-alpha.0, < 1.6.0-beta.5 | affected |
Weaknesses
- CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.