CVE-2026-22849
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2026-22849, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-21

Last updated on: 2026-01-29

Assigner: GitHub, Inc.

Description

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-21
Last Modified
2026-01-29
Generated
2026-07-06
AI Q&A
2026-01-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
saleor saleor From 3.0.0 (inc) to 3.20.108 (exc)
saleor saleor From 3.21.0 (inc) to 3.21.43 (exc)
saleor saleor From 3.22.0 (inc) to 3.22.27 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Saleor e-commerce platform allows users to modify rich text fields with HTML without backend HTML cleaning, enabling malicious actors to perform stored cross-site scripting (XSS) attacks on dashboards and storefronts. Malicious staff members could inject scripts targeting other staff, potentially stealing their access and refresh tokens. The issue affects versions from 3.0.0 up to but not including 3.20.108, 3.21.43, and 3.22.27, where it has been patched.

Impact Analysis

The vulnerability can lead to stored XSS attacks, allowing attackers to execute malicious scripts in the context of other users, particularly staff members. This can result in theft of access and refresh tokens, potentially leading to unauthorized access to sensitive parts of the platform, compromising user accounts, and further exploitation of the system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Saleor to one of the patched versions: 3.22.27, 3.21.43, or 3.20.108. If upgrading immediately is not possible, a possible workaround is to use a client-side HTML cleaner to sanitize rich text fields and prevent stored XSS attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart