CVE-2026-23499 (GCVE-0-2026-23499)
Vulnerability from cvelistv5
Published
2026-01-21 21:36
Modified
2026-01-22 16:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T15:09:33.487872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T16:50:13.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "saleor",
"vendor": "saleor",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.22.27"
},
{
"status": "affected",
"version": "\u003e= 3.1.0, \u003c 3.21.43"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.20.108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user\u0027s browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src \u0027none\u0027; base-uri \u0027none\u0027; frame-ancestors \u0027none\u0027; form-action \u0027none\u0027;`."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T21:36:19.702Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95"
},
{
"name": "https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99"
},
{
"name": "https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10"
},
{
"name": "https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335"
},
{
"name": "https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c"
},
{
"name": "https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24"
},
{
"name": "https://docs.saleor.io/security/#restricted-file-uploads",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.saleor.io/security/#restricted-file-uploads"
}
],
"source": {
"advisory": "GHSA-666h-2p49-pg95",
"discovery": "UNKNOWN"
},
"title": "Saleor vulnerable to stored XSS via Unrestricted File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23499",
"datePublished": "2026-01-21T21:36:19.702Z",
"dateReserved": "2026-01-13T15:47:41.629Z",
"dateUpdated": "2026-01-22T16:50:13.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23499\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-22T15:09:33.487872Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-22T15:09:34.896Z\"}}], \"cna\": {\"title\": \"Saleor vulnerable to stored XSS via Unrestricted File Upload\", \"source\": {\"advisory\": \"GHSA-666h-2p49-pg95\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"saleor\", \"product\": \"saleor\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.2.0, \u003c 3.22.27\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 3.21.43\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.20.108\"}]}], \"references\": [{\"url\": \"https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95\", \"name\": \"https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99\", \"name\": \"https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10\", \"name\": \"https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335\", \"name\": \"https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c\", \"name\": \"https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24\", \"name\": \"https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.saleor.io/security/#restricted-file-uploads\", \"name\": \"https://docs.saleor.io/security/#restricted-file-uploads\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user\u0027s browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src \u0027none\u0027; base-uri \u0027none\u0027; frame-ancestors \u0027none\u0027; form-action \u0027none\u0027;`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-434\", \"description\": \"CWE-434: Unrestricted Upload of File with Dangerous Type\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-21T21:36:19.702Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-23499\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-22T16:50:13.686Z\", \"dateReserved\": \"2026-01-13T15:47:41.629Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-21T21:36:19.702Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…