{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/saltcorn/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-40163"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["saltcorn","file-write","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSaltcorn, a no-code database application builder, is vulnerable to an unauthenticated arbitrary file write vulnerability. Specifically, versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4 are affected. An attacker can leverage the POST \u003ccode\u003e/sync/offline_changes\u003c/code\u003e endpoint to create arbitrary directories and write a \u003ccode\u003echanges.json\u003c/code\u003e file with attacker-controlled content anywhere on the server\u0026rsquo;s filesystem. Subsequently, the GET \u003ccode\u003e/sync/upload_finished\u003c/code\u003e endpoint allows an unauthenticated attacker to list directory contents and read specific JSON files. This combination of actions allows for complete control of the application, potentially leading to remote code execution. This vulnerability is resolved in Saltcorn versions 1.4.5, 1.5.5, and 1.6.0-beta.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/sync/offline_changes\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThis POST request includes crafted JSON content intended to be written to a \u003ccode\u003echanges.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe server creates arbitrary directories based on the attacker\u0026rsquo;s specifications within the POST request.\u003c/li\u003e\n\u003cli\u003eThe server writes the attacker-supplied JSON content to the \u003ccode\u003echanges.json\u003c/code\u003e file in the created directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a GET request to the \u003ccode\u003e/sync/upload_finished\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe GET request specifies the directory the attacker previously created.\u003c/li\u003e\n\u003cli\u003eThe server lists the contents of the specified directory, including the \u003ccode\u003echanges.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker reads the contents of the \u003ccode\u003echanges.json\u003c/code\u003e file. Successful exploitation allows arbitrary file creation, directory listing, and reading of file contents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to write arbitrary files and list directory contents on the Saltcorn server. This can lead to complete compromise of the application, including remote code execution, data theft, and denial of service. Given that Saltcorn is used in various sectors to build database applications, the potential impact is significant across multiple industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Saltcorn to version 1.4.5, 1.5.5, or 1.6.0-beta.4 or later to patch CVE-2026-40163.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Saltcorn Offline Changes Endpoint Abuse\u003c/code\u003e to detect suspicious POST requests to the \u003ccode\u003e/sync/offline_changes\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Saltcorn Upload Finished Endpoint Abuse\u003c/code\u003e to detect suspicious GET requests to the \u003ccode\u003e/sync/upload_finished\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unexpected POST requests to \u003ccode\u003e/sync/offline_changes\u003c/code\u003e and GET requests to \u003ccode\u003e/sync/upload_finished\u003c/code\u003e (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-saltcorn-file-write/","summary":"Unauthenticated attackers can exploit a vulnerability in Saltcorn versions prior to 1.4.5, 1.5.5, and 1.6.0-beta.4 to write arbitrary files and list directory contents on the server.","title":"Unauthenticated Arbitrary File Write in Saltcorn","url":"https://feed.craftedsignal.io/briefs/2026-04-saltcorn-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Saltcorn","version":"https://jsonfeed.org/version/1.1"}