CVE-2026-39851

Source
https://cve.org/CVERecord?id=CVE-2026-39851
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39851.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39851
Aliases
  • GHSA-m3rm-m4vq-27x7
Published
2026-04-08T17:33:37.998Z
Modified
2026-07-08T08:13:03.451925793Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Saleor has a user enumeration vulnerability due to different error messages
Details

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39851.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-204"
    ]
}
References

Affected packages

Git / github.com/saleor/saleor

Affected ranges

Type
GIT
Repo
https://github.com/saleor/saleor
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.10.0"
        },
        {
            "fixed": "3.20.118"
        },
        {
            "introduced": "3.21.0"
        },
        {
            "fixed": "3.21.54"
        },
        {
            "introduced": "3.22.0"
        },
        {
            "fixed": "3.22.47"
        }
    ]
}

Affected versions

2.*
2.10.0
3.*
3.0.0-a.0
3.11.0-a.0
3.12.0-a.0
3.13.0-a.0
3.14.67
3.14.84
3.15.0-a.0
3.15.41
3.16.0-a.0
3.16.42
3.17.0-a.0
3.17.69
3.18.0-a.0
3.19.0-a.0
3.2.0
3.20.0
3.20.0-a.0
3.20.0-a.1
3.20.1
3.20.10
3.20.100
3.20.101
3.20.102
3.20.103
3.20.104
3.20.105
3.20.106
3.20.107
3.20.108
3.20.109
3.20.11
3.20.110
3.20.111
3.20.112
3.20.113
3.20.114
3.20.115
3.20.116
3.20.117
3.20.12
3.20.13
3.20.14
3.20.15
3.20.16
3.20.17
3.20.18
3.20.19
3.20.2
3.20.20
3.20.21
3.20.22
3.20.23
3.20.24
3.20.25
3.20.26
3.20.27
3.20.28
3.20.29
3.20.3
3.20.30
3.20.31
3.20.32
3.20.33
3.20.34
3.20.35
3.20.36
3.20.37
3.20.38
3.20.39
3.20.4
3.20.40
3.20.41
3.20.42
3.20.43
3.20.44
3.20.45
3.20.46
3.20.47
3.20.48
3.20.49
3.20.5
3.20.50
3.20.51
3.20.52
3.20.53
3.20.54
3.20.55
3.20.56
3.20.57
3.20.58
3.20.59
3.20.6
3.20.60
3.20.61
3.20.62
3.20.63
3.20.64
3.20.65
3.20.66
3.20.67
3.20.68
3.20.69
3.20.7
3.20.70
3.20.71
3.20.72
3.20.73
3.20.74
3.20.75
3.20.76
3.20.77
3.20.78
3.20.79
3.20.8
3.20.80
3.20.81
3.20.82
3.20.83
3.20.84
3.20.85
3.20.86
3.20.87
3.20.88
3.20.89
3.20.9
3.20.90
3.20.91
3.20.92
3.20.93
3.20.94
3.20.95
3.20.96
3.20.97
3.20.98
3.20.99
3.21.0
3.21.0-a.0
3.21.1
3.21.10
3.21.11
3.21.12
3.21.13
3.21.14
3.21.15
3.21.16
3.21.17
3.21.18
3.21.19
3.21.2
3.21.20
3.21.21
3.21.22
3.21.23
3.21.24
3.21.25
3.21.26
3.21.27
3.21.28
3.21.29
3.21.3
3.21.30
3.21.31
3.21.32
3.21.33
3.21.34
3.21.35
3.21.36
3.21.37
3.21.38
3.21.39
3.21.4
3.21.40
3.21.41
3.21.42
3.21.43
3.21.44
3.21.45
3.21.46
3.21.47
3.21.48
3.21.49
3.21.5
3.21.50
3.21.51
3.21.52
3.21.53
3.21.6
3.21.7
3.21.8
3.21.9
3.22.0
3.22.1
3.22.10
3.22.11
3.22.12
3.22.13
3.22.14
3.22.15
3.22.16
3.22.17
3.22.18
3.22.19
3.22.2
3.22.20
3.22.21
3.22.22
3.22.23
3.22.24
3.22.25
3.22.26
3.22.27
3.22.28
3.22.29
3.22.3
3.22.30
3.22.31
3.22.32
3.22.33
3.22.34
3.22.35
3.22.36
3.22.37
3.22.38
3.22.39
3.22.4
3.22.40
3.22.41
3.22.42
3.22.43
3.22.44
3.22.45
3.22.46
3.22.5
3.22.6
3.22.7
3.22.8
3.22.9
3.23.0-a.0
3.23.0-a.1
3.23.0-a.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39851.json"