SQL Injection Flaws in Saltcorn and Dagster Enable Data Theft and Privilege Escalation
Two disclosed SQL injection vulnerabilities affect Saltcorn and Dagster, allowing authenticated users to execute unintended database queries and access data beyond their assigned privileges. In Saltcorn, the flaw in mobile sync endpoints can bypass application-level authorization controls to extract arbitrary table contents, including sensitive records from _sc_config and bcrypt password hashes from the users table. The exposure can also include active administrative session identifiers in some deployments, creating a direct path to account takeover.
The impact extends beyond data exposure in several configurations. Saltcorn deployments using PostgreSQL may permit stacked queries, enabling attackers to run DML or DDL statements that delete tables, alter configuration, and escalate from a low-privileged account to full administrative control. In Dagster, injected SQL runs with the privileges assigned to the platform's database credentials, which often include broad read, write, and delete access to warehouse data. The risk is particularly acute in Dagster OSS, where limited RBAC means users with API access may be able to trigger the flaw, while Dagster+ reduces default exposure but can still permit privilege escalation under custom RBAC settings.
Timeline
Apr 24, 2026
Saltcorn fixes mobile sync SQL injection in patched releases
Saltcorn released fixes for the mobile-sync SQL injection vulnerability in versions 1.4.6, 1.5.6, and 1.6.0-beta.5. The patched releases address an issue that allowed authenticated low-privilege users to inject SQL via sync parameters and potentially exfiltrate or modify database contents.
Apr 18, 2026
Dagster dynamic partitions SQL injection vulnerability disclosed
A SQL injection vulnerability in Dagster dynamic partitions was disclosed, with impact depending on the privileges of the database credentials used by the Dagster I/O manager. The disclosure noted risks of unauthorized data exposure, destructive modification, and possible privilege escalation, especially in Dagster OSS environments lacking granular RBAC.
Apr 16, 2026
Saltcorn Mobile Sync SQL injection vulnerability disclosed
A vulnerability affecting Saltcorn Mobile Sync endpoints was disclosed, describing how an authenticated attacker could bypass application-level authorization and use SQL injection to exfiltrate arbitrary database contents, including configuration data and password hashes. In PostgreSQL deployments, the issue could also permit stacked queries, enabling destructive changes and privilege escalation to full administrative control.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
2 weeks ago
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
3 days ago
SQL Injection Flaws Expose AVideo Data and Enable OpenSTAManager RCE
Two newly disclosed SQL injection vulnerabilities affect **WWBN AVideo Live Schedule Reminder** and the **OpenSTAManager Aggiornamenti** module, exposing organizations to severe database compromise. `CVE-2026-33651` is a blind SQL injection issue in AVideo rated **CVSS 8.1** that can let attackers exfiltrate the full database, including email addresses, personal information, and password hashes, while also modifying or deleting records through injected `UPDATE` or `DELETE` statements. Repeated time-based exploitation attempts could also degrade service performance by exhausting server connection pools. `CVE-2026-35168` affects OpenSTAManager and allows an authenticated attacker to execute arbitrary SQL with the privileges of the configured database user, undermining confidentiality, integrity, and availability. In MySQL or MariaDB deployments with broad database permissions, the flaw can enable schema changes, stored procedure tampering, and theft of sensitive financial data; where the database account has the `FILE` privilege, attackers can escalate from database access to **remote code execution** on the application server by writing arbitrary files to the host filesystem.
1 months ago