CVE-2026-23499

HIGH EPSS 13.5%
Published Jan 21, 20265mo ago · Modified Jun 17, 20262w ago
8.5 CVSS 4.0
High
Find Similar
Published Jan 21, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.

CVSS Details

Base Score
8.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
13.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-434 Unrestricted Upload of File with Dangerous Type Resource Mgmt
CWE-79 Cross-site Scripting Injection

Affected Products 3

VendorProductVersionRange
saleorsaleor*≥3.0.0  –  <3.20.108
saleorsaleor*≥3.21.0  –  <3.21.43
saleorsaleor*≥3.22.0  –  <3.22.27

References 7

  • docs.saleor.io https://docs.saleor.io/security/#restricted-file-uploads
    Product
  • github.com https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99
    Patch
  • github.com https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10
    Patch
  • github.com https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
    Patch
  • github.com https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c
    Patch
  • github.com https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24
    Patch
  • github.com https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95
    Vendor Advisory

Remediation

  • github.com https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99
    Patch
  • github.com https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10
    Patch
  • github.com https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
    Patch
  • github.com https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c
    Patch
  • github.com https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24
    Patch