GHSA-CR3W-CW5W-H3FJ

Vulnerability from github – Published: 2026-01-26 23:34 – Updated: 2026-01-26 23:34
VLAI?
Summary
Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE
Details

Summary

  1. There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.
  2. Additionally, there is a Command Injection vulnerability in GET /admin/backup. The admin can inject a shell command in the backup password which is inserted in the command used to create the backup zip.

Both vulnerabilities can be chained to craft a malicious link which will execute an arbitrary shell command on the server if it is clicked by a saltcorn admin with an active session. I believe iframes could also be used to exploit this silently when the admin visits an attacker-controlled web page (though I have not tested that).

Details

  1. The XSS vulnerability is here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js#L4886-L4887 Specifically, the name parameter is inserted into the pages breadcrumbs without sanitization.
  2. The Command Injection happens here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts#L381-L382

PoC

  1. A minimal PoC for the XSS can be as simple as: http://localhost:3000/admin/edit-codepage/%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%0A (assuming saltcorn running at localhost:3000 and the user having an active admin session)
  2. For the Command Injection, visit the backup section of saltcorn, set an admin password like ";$(whoami);" (including the quotation marks) and then click "Download a backup" in the "Manual backup" section. This should display an error page saying that /bin/sh could not find the binary named "root" or "saltcorn", depending on the user.

An example of an exploit that chains both vulnerabilities and generates the aforementioned malicious link: exploit.zip

Affected Versions

Edit: The following Docker containers from docker hub were tested: 1.4.1, 1.4.0, 1.3.1, 1.3.0, 1.2.0, 1.1.2, 1.1.1, 1.0.0 The Command Injection is applicable to versions >= 1.3.0. The XSS is applicable to versions >= 1.1.1

Severity ?
9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.1"
            },
            {
              "fixed": "1.5.0-beta.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T23:34:49Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\n1. There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.\n2. Additionally, there is a Command Injection vulnerability in GET /admin/backup. The admin can inject a shell command in the backup password which is inserted in the command used to create the backup zip.\n\n\nBoth vulnerabilities can be chained to craft a malicious link which will execute an arbitrary shell command on the server if it is clicked by a saltcorn admin with an active session. I believe iframes could also be used to exploit this silently when the admin visits an attacker-controlled web page (though I have not tested that).\n\n### Details\n1. The XSS vulnerability is here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js#L4886-L4887 Specifically, the name parameter is inserted into the pages breadcrumbs without sanitization.\n2. The Command Injection happens here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts#L381-L382\n\n### PoC\n1. A minimal PoC for the XSS can be as simple as: http://localhost:3000/admin/edit-codepage/%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%0A (assuming saltcorn running at localhost:3000 and the user having an active admin session)\n2. For the Command Injection, visit the backup section of saltcorn, set an admin password like `\";$(whoami);\"` (including the quotation marks) and then click \"Download a backup\" in the \"Manual backup\" section. This should display an error page saying that /bin/sh could not find the binary named \"root\" or \"saltcorn\", depending on the user.\n\nAn example of an exploit that chains both vulnerabilities and generates the aforementioned malicious link:\n[exploit.zip](https://github.com/user-attachments/files/24356819/exploit.zip)\n\n### Affected Versions\nEdit: The following Docker containers from docker hub were tested: 1.4.1, 1.4.0, 1.3.1, 1.3.0, 1.2.0, 1.1.2, 1.1.1, 1.0.0\nThe Command Injection is applicable to versions \u003e= 1.3.0.\nThe XSS is applicable to versions \u003e= 1.1.1",
  "id": "GHSA-cr3w-cw5w-h3fj",
  "modified": "2026-01-26T23:34:49Z",
  "published": "2026-01-26T23:34:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-cr3w-cw5w-h3fj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/commit/1bf681e08c45719a52afcf3506fb5ec59f4974d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltcorn/saltcorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts#L381-L382"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js#L4886-L4887"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Saltcorn\u0027s Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.