CVE-2026-22849

Name of the Vulnerable Software and Affected Versions Saleor versions 3.0.0 through 3.20.107 Saleor versions 3.21.0 through 3.21.42 Saleor versions 3.22.0 through 3.22.26

Description Saleor, an e-commerce platform, permitted modification of rich text fields with HTML without backend sanitization. This allowed malicious actors to execute stored cross-site scripting (XSS) attacks on both dashboards and storefronts. Specifically, malicious staff members could inject scripts to target other staff members, potentially compromising their access and refresh tokens. The issue impacts the ability to properly handle HTML input in rich text fields, potentially leading to unauthorized code execution within the platform.

Recommendations Upgrade to Saleor version 3.20.108 or later. Upgrade to Saleor version 3.21.43 or later. Upgrade to Saleor version 3.22.27 or later. As a temporary workaround, implement a client-side HTML cleaner.