CVE-2026-41478 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in Saltcorn's `mobile-sync` route. 💥 **Consequences**: Attackers can inject arbitrary SQL commands via sync parameters, leading to full data compromise.

🛡️ **Root Cause**: **CWE-89** (SQL Injection). The flaw lies in improper input validation within the `mobile-sync` endpoint, allowing malicious SQL payloads to execute.

📦 **Affected Versions**: Saltcorn **< 1.4.6**, **< 1.5.6**, and **< 1.6.0-beta.5**. Any version prior to these specific release numbers is vulnerable.

💰 **Impact**: Low-privilege users (with read access to at least one table) can escalate. They can read, modify, or delete **any data** in the database due to High CVSS score (C:H, I:H, A:H).

🔓 **Threshold**: **Low**. Requires **Authentication** (PR:L) and basic read permissions. No user interaction (UI:N) needed. Network accessible (AV:N).

📜 **Public Exploit**: **No**. The `pocs` array is empty. No public Proof-of-Concept or wild exploitation code is currently available.

🔍 **Self-Check**: Scan for Saltcorn instances running versions **1.4.5 and below**, **1.5.5 and below**, or **1.6.0-beta.4 and below**. Check if the `mobile-sync` endpoint is exposed.

✅ **Fix**: **Yes**. Upgrade to **Saltcorn 1.4.6**, **1.5.6**, or **1.6.0-beta.5** (or later). Refer to the GitHub Security Advisory for official patch details.

🚧 **No Patch Workaround**: Restrict network access to the `mobile-sync` route. Disable mobile sync if not needed. Ensure strict WAF rules block SQL injection patterns in sync parameters.

⚡ **Urgency**: **HIGH**. CVSS 3.1 Vector indicates High severity. Since it affects authenticated users and allows full DB control, patch immediately upon upgrading.