Stored XSS Vulnerability in Saleor E-commerce Platform
CVE-2026-22849

7.2HIGH

Key Information:

Vendor

Saleor

Status
Saleor
Vendor
CVE Published:
21 January 2026

What is CVE-2026-22849?

The Saleor e-commerce platform experienced a vulnerability that allowed users to modify rich text fields with HTML without the application of proper backend HTML cleansing. This oversight enabled malicious actors to conduct stored XSS attacks on both dashboards and storefronts. Such vulnerabilities could be exploited by malicious staff members to inject scripts aimed at other users, potentially compromising their access tokens or refresh tokens. This issue has been rectified in versions 3.22.27, 3.21.43, and 3.20.108. If immediate upgrades are not feasible, a client-side HTML cleaner can be employed as a temporary workaround.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

saleor >= 3.2.0, < 3.22.27 < 3.2.0, 3.22.27

saleor >= 3.1.0, < 3.21.43 < 3.1.0, 3.21.43

saleor >= 3.0.0, < 3.20.108 < 3.0.0, 3.20.108

References

https://github.com/saleor/saleor/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/saleor/saleor/commit/1085c7813224a0a65...
x_refsource_MISC
https://github.com/saleor/saleor/commit/676d95dbc7d811610...
x_refsource_MISC

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.