@christianhugo/mobile-builder (>=0.7.3-beta.3 <=0.7.4-beta.9), @christianhugoch/cli (>=0.7.2-beta.12 <=0.7.2-beta.13) +95 more potentially affected by unknown CVE via @saltcorn/data (>=0.0.2 <=1.4.3)

@saltcorn/data NPM version =0.0.2, =0.7.3-beta.3, =0.7.2-beta.12, =0.1.0, =0.0.1, =1.0.0, =0.1.4, =0.6.4, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2, =1.4.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9237-RG5P-RHFW...

@saltcorn/admin-models (>=1.5.0 <=1.5.0-rc.2), @saltcorn/base-plugin (>=1.5.0 <=1.5.0-rc.2) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0)

@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: OSV:GHSA-9237-RG5P-RHFW...

GHSA-9237-RG5P-RHFW @saltcorn/data: Tenant user role is used for tenant creation role check

Summary When a tenant admin is logged out of the root domain e.g., saltcorn.com but logged in to their own tenant space as admin, they can simply append /tenant/create to their tenant URL. The system reads the role from the tenant context admin, and a new tenant is created on the root domain in...

@saltcorn/admin-models (>=1.0.0 <=1.4.5), @saltcorn/base-plugin (>=1.0.0 <=1.4.5) +5 more potentially affected by CVE-2026-41478 via @saltcorn/data (>=1.0.0-beta.0 <=1.4.5)

@saltcorn/data NPM version =1.0.0-beta.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.4.5 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNDATA-16110991...

@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-beta.12), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-beta.12) +5 more potentially affected by CVE-2026-41478 via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-beta.4)

@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.12 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNDATA-16110991...

SQL Injection

Overview @saltcorn/data is a Data models for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database...

@christianhugo/mobile-builder (>=0.7.3-beta.3 <=0.7.4-beta.9), @christianhugoch/cli (>=0.7.2-beta.12 <=0.7.2-beta.13) +95 more potentially affected by unknown CVE via @saltcorn/data (>=0.0.2 <=1.4.4)

@saltcorn/data NPM version =0.0.2, =0.7.3-beta.3, =0.7.2-beta.12, =0.1.0, =0.0.1, =1.0.0, =0.1.4, =0.6.4, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2, =1.4.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-59XV-588H-2VMM...

@saltcorn/admin-models (>=1.5.0 <=1.5.0-rc.2), @saltcorn/base-plugin (>=1.5.0 <=1.5.0-rc.2) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0)

@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15991555...

@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-alpha.17), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-alpha.17) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-alpha.9)

@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.17 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15991555...

@saltcorn/admin-models (>=1.1.1 <=1.4.1-beta.3), @saltcorn/base-plugin (>=1.1.1 <=1.4.1-beta.3) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.1.1 <=1.4.1)

@saltcorn/data NPM version =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.4.1-beta.3 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15126137...

@saltcorn/admin-models (>=1.5.0-beta.0 <=1.5.0-beta.18), @saltcorn/base-plugin (>=1.5.0-beta.0 <=1.5.0-beta.18) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0-beta.18)

@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.18 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15126137...

Cross-site Scripting (XSS)

Overview @saltcorn/data is a Data models for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to Cross-site Scripting XSS and code execution, via the name parameter on the /admin/edit-codepage endpoint and improper handling of backup password input to the...