npm/@saltcorn/server — 4 CVEs

CRITICAL9.9CVE-2026-41478Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

from 0, < 1.4.6

HIGH8.2CVE-2026-40163Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read

from 0, < 1.4.5

MEDIUM6.5CVE-2024-47818Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability

from 0, < 1.0.0-beta.16

—Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)

from 0, < 1.4.6

pkg:npm/@saltcorn/server