What is CVE-2026-22849?

CVE-2026-22849 is a vulnerability in Saleor, classified under Improper Neutralization of Script in Attributes in a Web Page. Published 2026-01-21.

Is CVE-2026-22849 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Saleor

CVE-2026-22849

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malici…

EPSS: 0.001 (19.6th percentile) — read the EPSS interpretation.

Affected products

Saleor — versions >= 3.2.0, < 3.22.27, >= 3.1.0, < 3.21.43, >= 3.0.0, < 3.20.108

Weakness classification (CWE)

CWE-83 — Improper Neutralization of Script in Attributes in a Web Page

Public proof-of-concept exploits

lukasz-rybak/CVE-2026-22849

References

https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv (x_refsource_CONFIRM)
https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386 (x_refsource_MISC)
https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b (x_refsource_MISC)
https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 (x_refsource_MISC)
https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee (x_refsource_MISC)
https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d (x_refsource_MISC)
https://docs.saleor.io/security/#editorjs--html-cleaning (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-22849?: CVE-2026-22849 is a vulnerability in Saleor, classified under Improper Neutralization of Script in Attributes in a Web Page. Published 2026-01-21.
Is CVE-2026-22849 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.