CVE-2026-22849 (GCVE-0-2026-22849)

Vulnerability from cvelistv5 – Published: 2026-01-21 21:31 – Updated: 2026-01-22 16:50
VLAI?
Title
Saleor lacks proper HTML sanitization in rich text fields
Summary
Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.
Severity ?
7.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Assigner
References
Impacted products
Vendor Product Version
saleor saleor Affected: >= 3.2.0, < 3.22.27
Affected: >= 3.1.0, < 3.21.43
Affected: >= 3.0.0, < 3.20.108
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22849",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T15:09:35.969984Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-22T16:50:18.828Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "saleor",
          "vendor": "saleor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.2.0, \u003c 3.22.27"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.21.43"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.20.108"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-21T21:31:14.664Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d"
        },
        {
          "name": "https://docs.saleor.io/security/#editorjs--html-cleaning",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.saleor.io/security/#editorjs--html-cleaning"
        }
      ],
      "source": {
        "advisory": "GHSA-8jcj-r5g2-qrpv",
        "discovery": "UNKNOWN"
      },
      "title": "Saleor lacks proper HTML sanitization in rich text fields"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22849",
    "datePublished": "2026-01-21T21:31:14.664Z",
    "dateReserved": "2026-01-12T16:20:16.745Z",
    "dateUpdated": "2026-01-22T16:50:18.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22849\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-21T22:15:49.533\",\"lastModified\":\"2026-01-21T22:15:49.533\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-83\"}]}],\"references\":[{\"url\":\"https://docs.saleor.io/security/#editorjs--html-cleaning\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22849\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-22T15:09:35.969984Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-22T15:09:37.102Z\"}}], \"cna\": {\"title\": \"Saleor lacks proper HTML sanitization in rich text fields\", \"source\": {\"advisory\": \"GHSA-8jcj-r5g2-qrpv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"saleor\", \"product\": \"saleor\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.2.0, \u003c 3.22.27\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 3.21.43\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.20.108\"}]}], \"references\": [{\"url\": \"https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv\", \"name\": \"https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386\", \"name\": \"https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b\", \"name\": \"https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335\", \"name\": \"https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee\", \"name\": \"https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d\", \"name\": \"https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.saleor.io/security/#editorjs--html-cleaning\", \"name\": \"https://docs.saleor.io/security/#editorjs--html-cleaning\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-83\", \"description\": \"CWE-83: Improper Neutralization of Script in Attributes in a Web Page\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-21T21:31:14.664Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22849\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-22T16:50:18.828Z\", \"dateReserved\": \"2026-01-12T16:20:16.745Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-21T21:31:14.664Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.