Home > Vulnerability Database > WS-2023-0274

Mend.io Vulnerability Database

WS-2023-0274

Good to know:

Date: January 21, 2026

In @saltcorn/cli, unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disabled. All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants. The issue is fixed in version 0.8.7.

Language: TYPE_SCRIPT

Severity Score

8.7

Related Resources (7)

Url: https://github.com/saltcorn/saltcorn/commit/4fecc603afedc158536136ef0bb7a862b240d0d4

Url: https://github.com/saltcorn/saltcorn/commit/0f32a51277a635c814a634bda9b6d358fb8c04ab

Url: https://github.com/saltcorn/saltcorn

Url: https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191

Url: https://github.com/saltcorn/saltcorn/pull/1973

Url: https://github.com/saltcorn/saltcorn/security/advisories/GHSA-wxf3-4fvj-vqqx

Url: https://www.mend.io/vulnerability-database/WS-2023-0274

Severity Score

8.7

Weakness Type (CWE)

Improper Authorization

CWE-285

Top Fix

Upgrade Version

Upgrade to version @saltcorn/cli - 0.8.8-beta.2

Learn More

CVSS v3.1

Base Score:	8.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0274

Good to know:

Date: January 21, 2026

Language: TYPE_SCRIPT

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?