21 matches found
GHSA-9237-RG5P-RHFW @saltcorn/data: Tenant user role is used for tenant creation role check
Summary When a tenant admin is logged out of the root domain e.g., saltcorn.com but logged in to their own tenant space as admin, they can simply append /tenant/create to their tenant URL. The system reads the role from the tenant context admin, and a new tenant is created on the root domain in...
@saltcorn/admin-models (>=1.5.0 <=1.5.0-rc.2), @saltcorn/base-plugin (>=1.5.0 <=1.5.0-rc.2) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0)
@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-16318351...
@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-alpha.17), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-alpha.17) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-alpha.9)
@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.17 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-16318351...
@saltcorn/admin-models (>=1.0.0 <=1.4.3), @saltcorn/base-plugin (>=1.0.0 <=1.4.3) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.0.0-beta.0 <=1.4.3)
@saltcorn/data NPM version =1.0.0-beta.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.4.3 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-16318351...
@christianhugo/mobile-builder (>=0.7.3-beta.3 <=0.7.4-beta.9), @christianhugoch/cli (>=0.7.2-beta.12 <=0.7.2-beta.13) +95 more potentially affected by unknown CVE via @saltcorn/data (>=0.0.2 <=1.4.3)
@saltcorn/data NPM version =0.0.2, =0.7.3-beta.3, =0.7.2-beta.12, =0.1.0, =0.0.1, =1.0.0, =0.1.4, =0.6.4, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2, =1.4.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9237-RG5P-RHFW...
@saltcorn/admin-models (>=1.5.0 <=1.5.0-rc.2), @saltcorn/base-plugin (>=1.5.0 <=1.5.0-rc.2) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0)
@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: OSV:GHSA-9237-RG5P-RHFW...
@saltcorn/admin-models (>=1.0.0 <=1.4.5), @saltcorn/base-plugin (>=1.0.0 <=1.4.5) +5 more potentially affected by CVE-2026-41478 via @saltcorn/data (>=1.0.0-beta.0 <=1.4.5)
@saltcorn/data NPM version =1.0.0-beta.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.4.5 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNDATA-16110991...
@saltcorn/admin-models (>=1.5.0 <=1.5.5-beta.0), @saltcorn/base-plugin (>=1.5.0 <=1.5.5-beta.0) +5 more potentially affected by CVE-2026-41478 via @saltcorn/data (>=1.5.0-beta.0 <=1.5.5)
@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.5-beta.0 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNDATA-16110991...
@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-beta.14), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-beta.14) +5 more potentially affected by CVE-2026-41478 via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-beta.4)
@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.14 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNDATA-16110991...
SQL Injection
Overview @saltcorn/data is a Data models for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database...
GHSA-59XV-588H-2VMM @saltcorn/data vulnerable to SQL Injection via jsexprToSQL Literal Handler
Summary The jsexprToSQL function in Saltcorn converts JavaScript expressions to SQL for use in database constraints. The Literal handler wraps string values in single quotes without escaping embedded single quotes, allowing SQL injection when creating Formula-type table constraints. Vulnerable...
@christianhugo/mobile-builder (>=0.7.3-beta.3 <=0.7.4-beta.9), @christianhugoch/cli (>=0.7.2-beta.12 <=0.7.2-beta.13) +95 more potentially affected by unknown CVE via @saltcorn/data (>=0.0.2 <=1.4.4)
@saltcorn/data NPM version =0.0.2, =0.7.3-beta.3, =0.7.2-beta.12, =0.1.0, =0.0.1, =1.0.0, =0.1.4, =0.6.4, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2, =1.4.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-59XV-588H-2VMM...
@saltcorn/admin-models (>=1.0.0 <=1.4.3), @saltcorn/base-plugin (>=1.0.0 <=1.4.3) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.0.0-beta.0 <=1.4.3)
@saltcorn/data NPM version =1.0.0-beta.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.4.3 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15991555...
@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-beta.14), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-beta.14) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-beta.3)
@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.14 Source cves: unknown CVE Source advisory: OSV:GHSA-59XV-588H-2VMM...
@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-alpha.17), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-alpha.17) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-alpha.9)
@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.17 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15991555...
@saltcorn/admin-models (>=1.5.0 <=1.5.5-beta.0), @saltcorn/base-plugin (>=1.5.0 <=1.5.5-beta.0) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0 <=1.5.5-beta.0)
@saltcorn/data NPM version =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.5-beta.0 Source cves: unknown CVE Source advisory: OSV:GHSA-59XV-588H-2VMM...
@saltcorn/admin-models (>=1.5.0 <=1.5.0-rc.2), @saltcorn/base-plugin (>=1.5.0 <=1.5.0-rc.2) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0)
@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15991555...
SQL Injection
Overview @saltcorn/data is a Data models for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the Literal function. An attacker can execute arbitrary SQL commands, manipulate database schema, or exfiltrate data by injecting crafted input...
@saltcorn/admin-models (>=1.5.0-beta.0 <=1.5.0-beta.18), @saltcorn/base-plugin (>=1.5.0-beta.0 <=1.5.0-beta.18) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0-beta.18)
@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.0, =1.5.0-beta.18 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15126137...
@saltcorn/admin-models (>=1.1.1 <=1.4.1-beta.3), @saltcorn/base-plugin (>=1.1.1 <=1.4.1-beta.3) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.1.1 <=1.4.1)
@saltcorn/data NPM version =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.4.1-beta.3 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-15126137...