CVE-2026-22849
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Saleor e-commerce platform allows malicious staff members to inject HTML/JavaScript into rich text fields. The injected scripts execute when other staff members view the content, potentially stealing authentication tokens. All Saleor deployments with version 3.0.0 through 3.22.26 (excluding patched versions) are affected.
💻 Affected Systems
- Saleor e-commerce platform
📦 What is this software?
Saleor by Saleor
Saleor by Saleor
Saleor by Saleor
⚠️ Risk & Real-World Impact
Worst Case
Malicious staff member steals admin tokens, gains full system access, compromises customer data, and takes over the entire e-commerce platform.
Likely Case
Privilege escalation where lower-privileged staff members steal higher-privileged tokens, leading to unauthorized administrative access.
If Mitigated
Limited to staff member account compromise if proper segmentation exists, but could still lead to data exposure.
🎯 Exploit Status
Exploitation requires staff-level access. Attack involves simple HTML/JavaScript injection into rich text fields that lack backend sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.20.108, 3.21.43, or 3.22.27
Vendor Advisory: https://docs.saleor.io/security/#editorjs--html-cleaning
Restart Required: Yes
Instructions:
1. Backup your Saleor instance. 2. Update to version 3.20.108, 3.21.43, or 3.22.27 using your package manager. 3. Restart all Saleor services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Client-side HTML cleaner
allImplement client-side HTML sanitization for all rich text inputs before submission
🧯 If You Can't Patch
- Implement strict input validation and HTML sanitization at the application layer
- Restrict staff permissions and implement principle of least privilege for rich text editing
🔍 How to Verify
Check if Vulnerable:
Check if Saleor version is between 3.0.0 and 3.22.26 (excluding patched versions) and rich text editing is enabledCheck Version:
python -c "import saleor; print(saleor.__version__)" or check package.jsonVerify Fix Applied:
Verify version is 3.20.108, 3.21.43, or 3.22.27 and test rich text fields for HTML injection📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/JavaScript patterns in rich text field submissions
- Multiple failed authentication attempts from new locations
Network Indicators:
- Unexpected outbound connections after staff members view rich text content
SIEM Query:
source="saleor" AND (message="*<script>*" OR message="*javascript:*") AND field="rich_text"🔗 References
- https://docs.saleor.io/security/#editorjs--html-cleaning
- https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386
- https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b
- https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
- https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee
- https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d
- https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv
