CVE-2026-23499
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-01-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saleor | saleor | From 3.0.0 (inc) to 3.20.108 (exc) |
| saleor | saleor | From 3.21.0 (inc) to 3.21.43 (exc) |
| saleor | saleor | From 3.22.0 (inc) to 3.22.27 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Saleor e-commerce platform allows authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing JavaScript. If these files are served from the same domain as the dashboard without restrictions, malicious scripts can execute in the user's browser context. This can lead to script injections targeting other staff members, potentially stealing their access and refresh tokens. The vulnerability affects versions starting from 3.0.0 up to versions before 3.20.108, 3.21.43, and 3.22.27. It is mitigated if media files are hosted on a different domain or if the Content-Disposition: attachment header is returned for media files.
How can this vulnerability impact me? :
The vulnerability can lead to execution of malicious scripts in the browsers of staff users, allowing attackers to steal access and refresh tokens. This can result in unauthorized access to the system by malicious staff members or compromised apps, potentially leading to data theft, unauthorized actions, and compromise of the e-commerce platform's security. The impact depends on deployment strategy, specifically if media files are served from the same domain as the dashboard without proper headers or restrictions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Saleor deployment allows authenticated staff users or Apps to upload arbitrary files such as HTML or SVG files containing JavaScript. Additionally, verify if media files are served from the same domain as the dashboard without the Content-Disposition: attachment header. Commands to check HTTP headers for media files could include using curl, for example: curl -I https://example.com/media/filename.svg to inspect if the Content-Disposition header is set to attachment. Also, review your server or CDN configuration to see if it allows uploading or serving HTML or SVG files without restrictions.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Configure the servers hosting media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header to force browsers to download files instead of rendering them. 2) Prevent the servers from returning HTML and SVG files. 3) Set up a Content-Security-Policy for media files, such as: Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'; 4) Upgrade Saleor to patched versions 3.22.27, 3.21.43, or 3.20.108 if possible.