CVE-2026-23499

Name of the Vulnerable Software and Affected Versions Saleor versions 3.0.0 through 3.20.107 Saleor versions 3.21.0 through 3.21.42 Saleor versions 3.22.0 through 3.22.26

Description Saleor, an e-commerce platform, permitted authenticated staff users or Apps to upload arbitrary files, including potentially malicious HTML and SVG files containing Javascript. If media files are hosted on the same domain as the dashboard, these files could be served without restrictions, leading to the execution of malicious scripts within the user's browser. A malicious staff member could potentially inject scripts to target other staff members, potentially compromising their access and refresh tokens. The issue is present when media files are not served with a Content-Disposition: attachment header. Saleor Cloud users are not affected. The vulnerable API endpoint is not specified. The vulnerable parameter is not specified. The vulnerable function is not specified.

Recommendations Saleor versions 3.0.0 through 3.20.107: Upgrade to version 3.20.108 or later. Saleor versions 3.21.0 through 3.21.42: Upgrade to version 3.21.43 or later. Saleor versions 3.22.0 through 3.22.26: Upgrade to version 3.22.27 or later. Configure servers hosting media files to return the Content-Disposition: attachment header. Prevent servers from serving HTML and SVG files. Implement a Content-Security-Policy for media files, such as Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';.