CNNVD-202601-3342 Information

Jan 21, 2026 cve

CNNVD ID

CNNVD-202601-3342

CVE-2026-22849

  • CNNVD Published: 2026-01-21

Description (Chinese)

saleor是Saleor Commerce开源的一个接口软件。 saleor 3.0.0版本至3.20.108之前版本、3.21.43之前版本和3.22.27之前版本存在安全漏洞,该漏洞源于允许用户修改富文本字段中的HTML而未运行后端HTML清理器,可能导致恶意行为者执行存储型跨站脚本攻击。

Description (English)

Saleor is an interface to the opening source of Saleor Commerce. There is a security loophole between previous versions of saleor 3.0.0 and 3.20.1008, previous versions of 3.21.43 and previous versions of 3.22.27, which stems from the fact that the user is allowed to modify HTML in rich text fields without running the back-end HTML cleaner, which may result in a storage-type cross-site script attack by malicious actors.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

Saleor Commerce

Published

2026-01-21

Last Modified

2026-02-24

References

https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv https://docs.saleor.io/security/#editorjs–html-cleaning https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386 https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b https://access.redhat.com/security/cve/cve-2026-22849

Patch

https://github.com/saleor/saleor/releases

Share on: