Saleor Cross Site Scripting

Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform persistent cross site scripting attacks on dashboards and storefronts. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108...

Saleor Cross Site Scripting

Saleor suffers from a persistent cross site scripting vulnerability via an unrestricted file upload functionality. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108...

CVE-2026-23499 Saleor vulnerable to stored XSS via Unrestricted File Upload

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...

CVE-2026-22849

Saleor (e-commerce platform) contains a stored XSS vulnerability in rich text fields due to missing backend HTML cleaning prior to versions 3.20.108, 3.21.43, and 3.22.27. The underlying issue is lack of HTML sanitization in rich text content, enabling malicious actors to inject scripts that coul...

EUVD-2026-3777

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and...

PT-2026-3867

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these...