CVE-2026-22849 (GCVE-0-2026-22849)
Vulnerability from cvelistv5
Published
2026-01-21 21:31
Modified
2026-01-22 16:50
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Summary
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.
References
Impacted products
Vendor Product Version
saleor saleor Version: >= 3.2.0, < 3.22.27
Version: >= 3.1.0, < 3.21.43
Version: >= 3.0.0, < 3.20.108
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22849",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T15:09:35.969984Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-22T16:50:18.828Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "saleor",
          "vendor": "saleor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.2.0, \u003c 3.22.27"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.21.43"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.20.108"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-21T21:31:14.664Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d"
        },
        {
          "name": "https://docs.saleor.io/security/#editorjs--html-cleaning",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.saleor.io/security/#editorjs--html-cleaning"
        }
      ],
      "source": {
        "advisory": "GHSA-8jcj-r5g2-qrpv",
        "discovery": "UNKNOWN"
      },
      "title": "Saleor lacks proper HTML sanitization in rich text fields"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22849",
    "datePublished": "2026-01-21T21:31:14.664Z",
    "dateReserved": "2026-01-12T16:20:16.745Z",
    "dateUpdated": "2026-01-22T16:50:18.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22849\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-22T15:09:35.969984Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-22T15:09:37.102Z\"}}], \"cna\": {\"title\": \"Saleor lacks proper HTML sanitization in rich text fields\", \"source\": {\"advisory\": \"GHSA-8jcj-r5g2-qrpv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"saleor\", \"product\": \"saleor\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.2.0, \u003c 3.22.27\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 3.21.43\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.20.108\"}]}], \"references\": [{\"url\": \"https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv\", \"name\": \"https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386\", \"name\": \"https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b\", \"name\": \"https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335\", \"name\": \"https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee\", \"name\": \"https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d\", \"name\": \"https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.saleor.io/security/#editorjs--html-cleaning\", \"name\": \"https://docs.saleor.io/security/#editorjs--html-cleaning\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-83\", \"description\": \"CWE-83: Improper Neutralization of Script in Attributes in a Web Page\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-21T21:31:14.664Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22849\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-22T16:50:18.828Z\", \"dateReserved\": \"2026-01-12T16:20:16.745Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-21T21:31:14.664Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.