Exploit for Cross-site Scripting in Saleor CVE-2026-23499

## https://sploitus.com/exploit?id=1B416F2B-FA8C-5186-92DC-A944DE9B0A23
# CVE-2026-23499: Saleor vulnerable to stored XSS via Unrestricted File Upload

## Overview

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-23499 |
| **Vulnerability Type** | Cross-Site Scripting (XSS) |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Description

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these file

## Affected Products

- **saleor/saleor**




## References

- https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95
- https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99
- https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10
- https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335
- https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c
- https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24
- https://docs.saleor.io/security/#restricted-file-uploads


## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.