Saleor
CVE-2026-23499
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at example.com/dashboard/ and media are under example.com/media/. They are not impact if media files are hosted in a different domain, e.g., media.example.com. Users are impacted if they do not return a Content-Disposition: attachment header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a Content-Security-Policy for media files, such as Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';.
AnalysisAI
Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Saleor. Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft s
RemediationAI
A vendor patch is available — apply it immediately. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. Rated medium severity (CVSS 6.5), this vulnerab
Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Rated medium severity (CVSS 5.3),
In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers
Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching.
Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform ve
GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-bas
In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the
Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the acc
Saleor is an e-commerce platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authe
Saleor is an e-commerce platform that serves high-volume companies. Rated medium severity (CVSS 5.4), this vulnerability
Saleor Core is a composable, headless commerce API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exp
Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestE
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today