CVE-2026-39851

>= 2.10.0 and < 3.20.118

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutatio

4.3MEDIUM

CVE-2026-35407

>= 2.10.0 and < 3.20.118

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a business-logic and authorizati

6.5MEDIUM

CVE-2026-35401

>= 2.0.0 and < 3.20.118

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, a malicious actor can include man

7.5HIGH

CVE-2026-33756

>= 2.0.0 and < 3.20.118

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by

7.5HIGH

CVE-2026-24136

>= 3.2.0 and < 3.20.110

Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have

7.5HIGH

CVE-2026-23499

>= 3.0.0 and < 3.20.108

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed a

5.4MEDIUM

CVE-2026-22849

>= 3.0.0 and < 3.20.108

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allow

4.8MEDIUM

CVE-2024-31205

>= 3.10.0 and < 3.14.64

Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, an

4.2MEDIUM

CVE-2024-29888

>= 3.14.56 and < 3.14.61

Saleor is an e-commerce platform that serves high-volume companies. When using Pickup: Local stock only click-and-collect as a d

4.2MEDIUM

CVE-2024-29036

< 1.0.2

Saleor Storefront is software for building e-commerce experiences. Prior to commit 579241e75a5eb332ccf26e0bcdd54befa33f4783, when

4.3MEDIUM

CVE-2023-3294

< 2023-06-16

Cross-site Scripting (XSS) - DOM in GitHub repository saleor/react-storefront prior to c29aab226f07ca980cc19787dcef101e11b83ef7.

6.1MEDIUM

CVE-2023-32694

>= 2.11.0 and < 3.7.68

Saleor Core is a composable, headless commerce API. Saleor's validate_hmac_signature function is vulnerable to timing attacks. M

4.8MEDIUM

CVE-2023-26052

>= 2.0.0 and < 3.1.48

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are

3.7LOW

CVE-2023-26051

>= 2.0.0 and < 3.1.48

Saleor is a headless, GraphQL commerce platform delivering personalized shopping experiences. Some internal Python exceptions are

6.5MEDIUM

CVE-2022-39275

>= 2.0.0 and < 3.1.24

Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID typ

5.3MEDIUM

CVE-2022-0932

< 3.1.2

Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2.

6.5MEDIUM

CVE-2020-15085

< 2.10.3

In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser's

6.9MEDIUM

CVE-2020-7964

>= 2.0.0 and < 2.9.1

An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allow

5.3MEDIUM

CVE-2019-1010304

>= 2.0.0 and < 2.3.1

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 r

5.3MEDIUM

CVE-2019-13594

all versions

In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a

8.8HIGH