CVE-2026-23499

Jan. 21, 2026, 10:15 p.m.

8.5
High

Description

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.

Product(s) Impacted

Vendor Product Versions
Saleor
  • Saleor
  • 3.0.0-3.20.107, 3.21.0-3.21.42, 3.22.0-3.22.26

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a saleor saleor 3.0.0-3.20.107 / / / / / / /
a saleor saleor 3.21.0-3.21.42 / / / / / / /
a saleor saleor 3.22.0-3.22.26 / / / / / / /

References

https://docs.saleor.io/security/#restricted-file-uploads
https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99
https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10
https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c
https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24
https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95

Tags

[email protected]
CWE-79
2026-01-21
CVE-2026-23499

CVSS Score

8.5 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: PASSIVE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Jan. 21, 2026, 10:15 p.m.
Last Modified: Jan. 21, 2026, 10:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.