CVE-2026-23499

EPSS 0.04%
Veröffentlicht 21.01.2026 21:36:19
Zuletzt bearbeitet 29.01.2026 18:19:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Saleor ≫ Saleor Version >= 3.0.0 < 3.20.108

Saleor ≫ Saleor Version >= 3.21.0 < 3.21.43

Saleor ≫ Saleor Version >= 3.22.0 < 3.22.27

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.119

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	8.5	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335

Patch

https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95

Vendor Advisory

https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99

Patch

https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10

Patch

https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c

Patch

https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24

Patch