CVE-2026-22849: Saleor Stored XSS Flaw Enabling Silent Token Theft and Admin Session Takeover

Aegiron 9 mins0

CVE ID: CVE-2026-22849
Product: Saleor (e-commerce platform)
Vulnerability Type: Stored Cross-Site Scripting (XSS)
Impact Focus: Authentication token theft, session hijacking
CVSS v3 Score: 5.4
Severity: Medium
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Authenticated / Staff-level user
User Interaction: Required
Exploit Maturity: No public weaponized exploit; exploitation feasible in real environments
Exploit Availability: Educational / theoretical exploitation only
Official Fix Status: Patch available (upgrade required)

Overview

A stored cross-site scripting vulnerability was identified in Saleor due to insufficient server-side sanitization of HTML content submitted through rich-text (EditorJS-based) fields. Content entered by authenticated staff users was stored and later rendered in administrative dashboards or storefront pages without adequate cleaning.

As a result, malicious scripts embedded in stored content could be executed in the browser of another user viewing that content. When executed in the same origin as the Saleor application, such scripts could access sensitive browser storage locations and extract authentication tokens. These tokens could then be misused to impersonate affected users.

The vulnerability does not allow anonymous exploitation; however, it poses a serious risk in environments where staff accounts are shared, compromised, or insufficiently monitored.

Affected Components

The issue affected multiple areas where rich-text or structured content was accepted and rendered, including but not limited to:

  • Product descriptions
  • Page content (CMS pages)
  • Metadata fields using EditorJS
  • Administrative views rendering stored HTML

All Saleor versions starting from 3.0.0 up to the patched releases were impacted.

How Exploitation Could Occur

  1. A staff-level user account submits content containing embedded script logic into a rich-text field.
  2. The content is saved to the database without being sanitized server-side.
  3. Another authenticated user or storefront visitor later views the affected page.
  4. The stored script is executed automatically by the victim’s browser.
  5. Browser storage (such as local storage or cookies accessible to JavaScript) is accessed.
  6. Authentication tokens are extracted and transmitted to an external destination.
  7. The stolen tokens are reused to access the Saleor application as the victim.

This entire process occurs silently in the background and may leave little visible evidence to the victim.

Potential Impact

  • Unauthorized access to administrative APIs
  • Full account impersonation using stolen tokens
  • Unauthorized modification of products, pricing, or content
  • Data exposure depending on account permissions
  • Persistence through repeated rendering of stored malicious content

MITRE Classification

  • CAPEC:
    • CAPEC-63 – Cross-Site Scripting (XSS)
  • ATT&CK Mapping:
    • Initial Access – Exploit Public-Facing Application
    • Credential Access – Web Session Cookie or Token Theft
    • Collection – Data from Web Applications

Proof of Concept / Exploitation Availability (Educational)

No public, ready-to-use exploit code has been published for this vulnerability. However, exploitation is considered practically feasible due to the nature of stored XSS issues.

From an educational and defensive standpoint, exploitation would rely on:

  • Ability to store HTML or script-like content in rich-text fields
  • Rendering of that content by another user
  • Absence of server-side sanitization or restrictive Content Security Policy

No automated exploitation frameworks are known to include this CVE at the time of disclosure.

Detection and Monitoring Guidance

Primary Log Sources to Monitor

  • Application logs (content creation and update endpoints)
  • Admin activity logs (staff actions)
  • Web server / reverse proxy access logs
  • WAF logs
  • Authentication and session logs
  • Database audit logs for content changes

Indicators of Suspicious Activity

  • Rich-text content containing unexpected HTML tags
  • Inline JavaScript-like patterns in stored content
  • Content updates followed by unusual login activity
  • Session tokens being reused from new IP addresses
  • Admin actions performed shortly after content edits

Sample Detection Patterns

These patterns are intended only for detection and prevention, not exploitation.

Suspicious Content Indicators

  • <script
  • onerror=
  • onload=
  • javascript:
  • <iframe
  • <svg
  • document.cookie
  • localStorage
  • sessionStorage

Example SIEM Detection Logic

  • Identify POST or PUT requests to content-management endpoints
  • Inspect request bodies for HTML/script indicators
  • Correlate with subsequent authentication anomalies

WAF Detection Rules

Rule 1 – Block Script Tags in Rich-Text Fields

SecRule REQUEST_BODY "(?i)<script[^>]*>" \
"id:1001001,phase:2,deny,log,msg:'Stored XSS attempt – script tag detected'"

Rule 2 – Detect Inline Event Handlers

SecRule REQUEST_BODY "(?i)on(error|load|mouseover|focus|click)\s*=" \
"id:1001002,phase:2,deny,log,msg:'Stored XSS attempt – inline event handler detected'"

Rule 3 – Detect JavaScript URI Usage

SecRule REQUEST_BODY "(?i)javascript\s*:" \
"id:1001003,phase:2,deny,log,msg:'Stored XSS attempt – javascript URI detected'"

Rule 4 – Monitor Suspicious HTML in Admin Endpoints

SecRule REQUEST_URI "@contains /admin" \
"chain,id:1001004,phase:2,deny,log,msg:'Suspicious HTML content in admin request'"
SecRule REQUEST_BODY "(?i)<(iframe|svg|object|embed)"

These rules should be tuned carefully to reduce false positives and applied only to endpoints that are not expected to receive raw HTML.

Recommended Mitigations

  • Immediate upgrade to a patched Saleor release
  • Execution of vendor-provided cleanup commands to scan stored content
  • Review and sanitization of existing rich-text data
  • Implementation of strict Content Security Policy (CSP)
  • Limitation of which users can edit rich-text fields
  • Token rotation for administrative users
  • Ongoing monitoring of admin content changes

Official Patch / Upgrade Link

Saleor Security Advisory & Fixed Releases:
👉 https://github.com/saleor/saleor/security/advisories

Upgrading to one of the following versions (or later) resolves the issue:

  • 3.20.108
  • 3.21.43
  • 3.22.27

Final Takeaway

This vulnerability highlights the importance of server-side content sanitization even when rich-text editors are used. Stored XSS issues are particularly dangerous because they persist over time and affect multiple users. While exploitation requires authenticated access, the resulting impact can be significant, especially in administrative environments.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.