Skip to main content

Saleor

18 CVEs product

Monthly

CVE-2026-39851 MEDIUM PATCH This Month

Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestEmailChange() GraphQL mutation, allowing authenticated attackers to enumerate valid email addresses in the system. The vulnerability affects multiple version branches and is resolved in patched versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. CVSS 5.3 reflects low confidentiality impact with authentication requirement.

Information Disclosure Saleor
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-35407 MEDIUM PATCH This Month

Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the account email change workflow that allows authenticated attackers to change another user's email address by replaying a valid email-change confirmation token issued for a different account. The flaw stems from the confirmation flow's failure to verify that the token was issued for the requesting user, enabling token reuse across accounts with low attack complexity. The vulnerability affects millions of potential e-commerce deployments and is fixed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118; no public exploit code or active exploitation in the wild has been identified at the time of analysis.

Authentication Bypass Saleor
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-35401 HIGH PATCH This Week

GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-based or chained mutation requests. Attackers craft single API calls containing excessive GraphQL operations (mutations/queries) via aliasing or chaining, exhausting server resources and disrupting service availability. Affects Saleor versions 2.0.0 through 3.22.x, with no authentication required for exploitation. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.

Denial Of Service Saleor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33756 HIGH PATCH This Week

Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching. Unauthenticated remote attackers can submit a single HTTP request containing an unbounded array of GraphQL operations, bypassing per-query complexity controls to exhaust server resources and render the platform unavailable. Vendor-released patches are available across all affected major versions (3.20.118, 3.21.54, 3.22.47, 3.23.0a3). No public exploit identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N).

Denial Of Service Saleor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24136 HIGH PATCH This Week

Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform versions 3.2.0-3.22.28 to retrieve sensitive customer information including personally identifiable data in plain text through the order() GraphQL query. This high-severity vulnerability (CVSS 7.5) affects orders across multiple version branches and has been patched in releases 3.20.110, 3.21.45, and 3.22.29. Organizations unable to patch immediately should implement WAF rules to restrict non-staff access to order queries.

Authentication Bypass Saleor
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23499 MEDIUM PATCH This Month

Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.

File Upload XSS Saleor
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22849 MEDIUM PATCH This Month

Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]

XSS Saleor
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2024-31205 MEDIUM PATCH This Month

Saleor is an e-commerce platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Saleor
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-29888 PyPI MEDIUM PATCH This Month

Saleor is an e-commerce platform that serves high-volume companies. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Saleor
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-32694 MEDIUM PATCH This Month

Saleor Core is a composable, headless commerce API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Saleor
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-26052 PyPI MEDIUM PATCH This Month

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Python Saleor
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2023-26051 PyPI MEDIUM PATCH This Month

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Python Saleor
NVD GitHub
CVSS 3.1
4.3
EPSS
0.8%
CVE-2022-39275 MEDIUM PATCH This Month

Saleor is a headless, GraphQL commerce platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Saleor
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-0932 PyPI MEDIUM POC PATCH This Month

Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Saleor
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2020-15085 MEDIUM PATCH This Month

In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity.

Information Disclosure Saleor
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-7964 PyPI MEDIUM PATCH This Month

An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass Saleor
NVD GitHub
CVSS 3.1
5.3
EPSS
1.1%
CVE-2019-1010304 MEDIUM POC This Month

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Saleor
NVD GitHub
CVSS 3.0
5.3
EPSS
1.2%
CVE-2019-13594 PyPI HIGH PATCH This Week

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Saleor
NVD GitHub
CVSS 3.0
8.8
EPSS
0.6%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Saleor e-commerce platform versions 2.10.0 through 3.23.0a2 leak user email addresses via error messages in the requestEmailChange() GraphQL mutation, allowing authenticated attackers to enumerate valid email addresses in the system. The vulnerability affects multiple version branches and is resolved in patched versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. CVSS 5.3 reflects low confidentiality impact with authentication requirement.

Information Disclosure Saleor
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the account email change workflow that allows authenticated attackers to change another user's email address by replaying a valid email-change confirmation token issued for a different account. The flaw stems from the confirmation flow's failure to verify that the token was issued for the requesting user, enabling token reuse across accounts with low attack complexity. The vulnerability affects millions of potential e-commerce deployments and is fixed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118; no public exploit code or active exploitation in the wild has been identified at the time of analysis.

Authentication Bypass Saleor
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-based or chained mutation requests. Attackers craft single API calls containing excessive GraphQL operations (mutations/queries) via aliasing or chaining, exhausting server resources and disrupting service availability. Affects Saleor versions 2.0.0 through 3.22.x, with no authentication required for exploitation. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.

Denial Of Service Saleor
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching. Unauthenticated remote attackers can submit a single HTTP request containing an unbounded array of GraphQL operations, bypassing per-query complexity controls to exhaust server resources and render the platform unavailable. Vendor-released patches are available across all affected major versions (3.20.118, 3.21.54, 3.22.47, 3.23.0a3). No public exploit identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N).

Denial Of Service Saleor
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform versions 3.2.0-3.22.28 to retrieve sensitive customer information including personally identifiable data in plain text through the order() GraphQL query. This high-severity vulnerability (CVSS 7.5) affects orders across multiple version branches and has been patched in releases 3.20.110, 3.21.45, and 3.22.29. Organizations unable to patch immediately should implement WAF rules to restrict non-staff access to order queries.

Authentication Bypass Saleor
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Authenticated staff users in Saleor e-commerce platform versions 3.0.0 through 3.22.26 can upload malicious HTML and SVG files containing JavaScript that execute in users' browsers when served from the same domain as the dashboard, potentially allowing token theft. An attacker with staff privileges could craft script injections to compromise other staff members' sessions and access tokens. This vulnerability affects deployments where media files are hosted on the same domain as the dashboard and patches are available in versions 3.20.108, 3.21.43, and 3.22.27.

File Upload XSS Saleor
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Saleor is an e-commerce platform. [CVSS 4.8 MEDIUM]

XSS Saleor
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Saleor is an e-commerce platform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Saleor
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Saleor is an e-commerce platform that serves high-volume companies. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Saleor
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Saleor Core is a composable, headless commerce API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Saleor
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Python Saleor
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Python Saleor
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Saleor is a headless, GraphQL commerce platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Saleor
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Saleor
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's local storage mechanism, including credentials. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity.

Information Disclosure Saleor
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authentication for Critical Function vulnerability could allow attackers to access critical functionality without authentication.

Authentication Bypass Saleor
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Saleor
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Saleor
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy