CVE-2026-42259

CVE-2026-42259 is a medium-severity vulnerability with a CVSS 4.0 base score of 5.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-601.

Key facts

Description

Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.

Frequently asked questions

What is CVE-2026-42259?
Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.
How severe is CVE-2026-42259?
CVE-2026-42259 has a CVSS 4.0 base score of 5.1, rated medium severity.
Is CVE-2026-42259 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-42259?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-42259 have an EU (EUVD) identifier?
Yes. CVE-2026-42259 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-28431.
When was CVE-2026-42259 published?
CVE-2026-42259 was published on 2026-05-07 and last updated on 2026-06-17.

References

Other CWE-601 (Open Redirect) vulnerabilities

Browse all CWE-601 (Open Redirect) vulnerabilities →