Description
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.
Published: 2026-01-21
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

Saleor, an open‑source e‑commerce platform, suffers an arbitrary file upload flaw that allows authenticated staff users or applications to upload any file type, including malicious HTML and SVG that contain JavaScript. The uploaded files are stored and later served from the same domain as the administration dashboard without proper content‑type handling. When a user visits the URL, the browser renders the file and executes the embedded scripts in the context of that user’s session. This stored cross‑site scripting can lead to theft of session cookies, access or refresh tokens, or other in‑browser data, effectively allowing an attacker to hijack other staff accounts.

Affected Systems

Affected vendor is Saleor. The vulnerability exists in Saleor versions from 3.0.0 up to (but not including) the patch releases 3.20.108, 3.21.43, and 3.22.27. The issue is only exploitable when media files are served from the same domain as the administration interface and the server does not set a Content‑Disposition: attachment header, and Saleor Cloud deployments are not affected.

Risk and Exploitability

With a CVSS score of 8.5, this vulnerability is classified as High severity. The EPSS score is below 1%, indicating a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need legitimate staff credentials or a compromised application token to use the upload functionality, and the media must be reachable under the same domain as the admin UI. Once uploaded, the malicious content is served without sanitization, allowing the script to run in any staff member’s browser and potentially capture session tokens or perform other malicious actions.

Generated by OpenCVE AI on April 18, 2026 at 04:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saleor to a patched release (3.22.27, 3.21.43, or 3.20.108).
  • Configure your media server or reverse proxy to return a "Content‑Disposition: attachment" header for all media files, forcing download rather than rendering.
  • Block the delivery of HTML and SVG files from the media endpoint, restricting allowed MIME types to safe media types. (e.g., .jpg, .png, .gif, .mp3, etc.)
  • Add a strict Content‑Security‑Policy header for media URLs, such as "default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';" to mitigate any accidental execution of injected scripts.

Generated by OpenCVE AI on April 18, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Saleor
Saleor saleor
Vendors & Products Saleor
Saleor saleor

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.
Title Saleor vulnerable to stored XSS via Unrestricted File Upload
Weaknesses CWE-434
CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Saleor Saleor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T16:50:13.686Z

Reserved: 2026-01-13T15:47:41.629Z

Link: CVE-2026-23499

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:34.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:49.703

Modified: 2026-01-29T18:19:14.347

Link: CVE-2026-23499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses