Maciej Korycinski

7 exploits Active since May 2023
CVE-2025-58442 WRITEUP MEDIUM WRITEUP
Saleor 3.21.0-3.21.15 - User Enumeration via accountRegister Response Discrepancy
Saleor is an e-commerce platform. Starting in version 3.21.0 and prior to version 3.21.16, requesting certain fields in the response of `accountRegister` may result in errors that could unintentionally reveal whether a user with the provided email already exists in Saleor. Version 3.21.16 fixes the issue. As a workaround, rate-limit the mutation to reduce the impact.
CVSS 5.3
CVE-2026-24136 WRITEUP HIGH WRITEUP
Saleor 3.2.0-3.20.109 3.21.0-a.0-3.21.44 3.22.0-a.0-3.22.28 - Unauthenticated Insecure Direct Object Reference
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
CVSS 7.5
CVE-2026-24136 WRITEUP HIGH WRITEUP
Saleor 3.2.0-3.20.109 3.21.0-a.0-3.21.44 3.22.0-a.0-3.22.28 - Unauthenticated Insecure Direct Object Reference
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
CVSS 7.5
CVE-2026-24136 WRITEUP HIGH WRITEUP
Saleor 3.2.0-3.20.109 3.21.0-a.0-3.21.44 3.22.0-a.0-3.22.28 - Unauthenticated Insecure Direct Object Reference
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
CVSS 7.5
CVE-2023-32694 WRITEUP MEDIUM WRITEUP
Saleor Core <3.7.67 - Timing Attack
Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.
CVSS 4.8
CVE-2025-58442 WRITEUP MEDIUM WRITEUP
Saleor 3.21.0-3.21.15 - User Enumeration via accountRegister Response Discrepancy
Saleor is an e-commerce platform. Starting in version 3.21.0 and prior to version 3.21.16, requesting certain fields in the response of `accountRegister` may result in errors that could unintentionally reveal whether a user with the provided email already exists in Saleor. Version 3.21.16 fixes the issue. As a workaround, rate-limit the mutation to reduce the impact.
CVSS 5.3
CVE-2026-24136 WRITEUP HIGH WRITEUP
Saleor 3.2.0-3.20.109 3.21.0-a.0-3.21.44 3.22.0-a.0-3.22.28 - Unauthenticated Insecure Direct Object Reference
Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF.
CVSS 7.5