Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

saleor — Vulnerabilities & Security Advisories 18

Browse all 18 CVE security advisories affecting saleor. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Saleor is an open-source e-commerce platform built on Django and GraphQL, serving as a headless commerce solution for online businesses. Historically, vulnerabilities have included cross-site scripting (XSS), remote code execution (RCE), privilege escalation, and insecure direct object references (IDOR), often stemming from improper input validation and access controls. While no major public security incidents have been widely reported, the 18 CVEs on record highlight persistent security concerns, particularly around API endpoints and user permissions. The platform's modular architecture and third-party integrations introduce additional attack surfaces, requiring rigorous security hardening and regular updates to mitigate risks.

Top products by saleor: Saleor saleor/saleor saleor/react-storefront storefront
CVE IDTitleCVSSSeverityPublished
CVE-2026-39851 Saleor has a user enumeration vulnerability due to different error messages — saleorCWE-204 5.3AIMediumAI2026-04-08
CVE-2026-35407 Saleor has Cross-Account Email Change via Unbound Confirmation Token — saleorCWE-285 5.3AIMediumAI2026-04-08
CVE-2026-35401 Saleor has a resource exhaustion vulnerability in GraphQL queries — saleorCWE-770 7.5 High2026-04-08
CVE-2026-33756 Saleor Affected by Denial of Service via Unbounded GraphQL Query Batching — saleorCWE-770 7.5 High2026-04-08
CVE-2026-24136 Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API — saleorCWE-639 7.5 -2026-01-23
CVE-2026-23499 Saleor vulnerable to stored XSS via Unrestricted File Upload — saleorCWE-79 6.5AIMediumAI2026-01-21
CVE-2026-22849 Saleor lacks proper HTML sanitization in rich text fields — saleorCWE-83 5.4AIMediumAI2026-01-21
CVE-2025-58442 Saleor has user enumeration vulnerability due to different error messages — saleorCWE-204 5.3 Medium2025-09-09
CVE-2024-31205 Saleor CSRF bypass in refreshToken mutation — saleorCWE-352 4.2 Medium2024-04-08
CVE-2024-29888 Saleor vulnerable to customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method — saleorCWE-359 4.2 Medium2024-03-27
CVE-2024-29036 Saleor Storefront session leak in cache — storefrontCWE-200 4.3 Medium2024-03-20
CVE-2023-3294 Cross-site Scripting (XSS) - DOM in saleor/react-storefront — saleor/react-storefrontCWE-79 6.1 -2023-06-16
CVE-2023-32694 Non-constant time HMAC comparison in Adyen plugin in Saleor — saleorCWE-203 4.8 Medium2023-05-25
CVE-2023-26052 Saleor is vulnerable to unauthenticated information disclosure via Python exceptions — saleorCWE-209 3.7 Low2023-03-02
CVE-2023-26051 Saleor is vulnerable to staff-authenticated error message information disclosure vulnerability via Python exceptions — saleorCWE-209 6.5 Medium2023-03-02
CVE-2022-39275 Improper object type validation in saleor — saleorCWE-863 5.3 Medium2022-10-06
CVE-2022-0932 Missing Authorization in saleor/saleor — saleor/saleorCWE-862 7.1 -2022-03-11
CVE-2019-1010304 Mirumee Saleor 访问控制错误漏洞 — Saleor 5.3 -2019-07-15

This page lists every published CVE security advisory associated with saleor. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.