CVE-2026-22849
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-21

Last updated on: 2026-01-29

Assigner: GitHub, Inc.

Description
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22849
EUVD
EUVD-2026-3777
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
saleor saleor From 3.0.0 (inc) to 3.20.108 (exc)
saleor saleor From 3.21.0 (inc) to 3.21.43 (exc)
saleor saleor From 3.22.0 (inc) to 3.22.27 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Saleor e-commerce platform allows users to modify rich text fields with HTML without backend HTML cleaning, enabling malicious actors to perform stored cross-site scripting (XSS) attacks on dashboards and storefronts. Malicious staff members could inject scripts targeting other staff, potentially stealing their access and refresh tokens. The issue affects versions from 3.0.0 up to but not including 3.20.108, 3.21.43, and 3.22.27, where it has been patched.

Impact Analysis

The vulnerability can lead to stored XSS attacks, allowing attackers to execute malicious scripts in the context of other users, particularly staff members. This can result in theft of access and refresh tokens, potentially leading to unauthorized access to sensitive parts of the platform, compromising user accounts, and further exploitation of the system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Saleor to one of the patched versions: 3.22.27, 3.21.43, or 3.20.108. If upgrading immediately is not possible, a possible workaround is to use a client-side HTML cleaner to sanitize rich text fields and prevent stored XSS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart