Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://docs.saleor.io/security/#editorjs--html-cleaning cve-icon cve-icon
https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386 cve-icon cve-icon
https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b cve-icon cve-icon
https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 cve-icon cve-icon
https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee cve-icon cve-icon
https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d cve-icon cve-icon
https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv cve-icon cve-icon
History

Wed, 21 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner.
Title Saleor lacks proper HTML sanitization in rich text fields
Weaknesses CWE-83
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T21:31:14.664Z

Reserved: 2026-01-12T16:20:16.745Z

Link: CVE-2026-22849

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-01-21T22:15:49.533

Modified: 2026-01-21T22:15:49.533

Link: CVE-2026-22849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses