CVE-2026-42259

UNKNOWN 0.0

Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.

CWE	CWE-601
Vendor	saltcorn
Product	saltcorn
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for saltcorn saltcorn

Be the first to know when new unknown vulnerabilities affecting saltcorn saltcorn are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

saltcorn / saltcorn

< 1.4.6 >= 1.5.0-beta.0, < 1.5.6 >= 1.6.0-alpha.0, < 1.6.0-beta.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv