VYPR

Saleor

by Saleor

pypi: saleor

Source repositories

CVEs (17)

  • CVE-2026-35401HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include many GraphQL mutations or queries in a single API call using aliases or chaining multiple mutations, resulting in resource exhaustion. This…

  • CVE-2026-33756HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations.…

  • CVE-2026-35407MedApr 8, 2026
    risk 0.35cvss 6.5epss 0.00

    Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorization flaw was found in the account email change workflow, the confirmation flow did not verify that the email change confirmation token was issued for…

  • CVE-2025-58442MedSep 9, 2025
    risk 0.27cvss 5.3epss 0.00

    Saleor is an e-commerce platform. Starting in version 3.21.0 and prior to version 3.21.16, requesting certain fields in the response of `accountRegister` may result in errors that could unintentionally reveal whether a user with the provided email already exists in Saleor.…

  • CVE-2026-39851MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and…

  • CVE-2026-24136Jan 23, 2026
    risk 0.00cvss epss 0.00

    Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders…

  • CVE-2026-23499Jan 21, 2026
    risk 0.00cvss epss 0.00

    Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment…

  • CVE-2026-22849Jan 21, 2026
    risk 0.00cvss epss 0.00

    Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks…

  • CVE-2024-31205Apr 8, 2024
    risk 0.00cvss epss 0.00

    Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user…

  • CVE-2024-29888Mar 27, 2024
    risk 0.00cvss epss 0.01

    Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect…

  • CVE-2023-3294Jun 16, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - DOM in GitHub repository saleor/react-storefront prior to c29aab226f07ca980cc19787dcef101e11b83ef7.

  • CVE-2023-32694May 25, 2023
    risk 0.00cvss epss 0.00

    Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge…

  • CVE-2023-26052Mar 2, 2023
    risk 0.00cvss epss 0.01

    Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in…

  • CVE-2023-26051Mar 2, 2023
    risk 0.00cvss epss 0.01

    Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in…

  • CVE-2022-39275Oct 6, 2022
    risk 0.00cvss epss 0.01

    Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose…

  • CVE-2022-0932Mar 11, 2022
    risk 0.00cvss epss 0.01

    Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2.

  • CVE-2019-1010304Jul 15, 2019
    risk 0.00cvss epss 0.01

    Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector…