5.3

CVE-2026-39851

Saleor has a user enumeration vulnerability due to different error messages

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SaleorSaleor Version >= 2.10.0 < 3.20.118
SaleorSaleor Version >= 3.21.0 < 3.21.54
SaleorSaleor Version >= 3.22.0 < 3.22.47
SaleorSaleor Version3.23.0 Updatealpha0
SaleorSaleor Version3.23.0 Updatealpha1
SaleorSaleor Version3.23.0 Updatealpha2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.151
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com 5.3 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64
Patch
https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8
Patch
https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a
Patch
https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa
Patch
https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464
Patch
https://github.com/saleor/saleor/security/advisories/GHSA-m3rm-m4vq-27x7
Patch
Vendor Advisory