{"id":"PYSEC-2026-916","summary":"Mirumee Saleor CSRF Protection Disabled","details":"In Mirumee Saleor 2.7.0 (fixed in 2.8.0), CSRF protection middleware was accidentally disabled, which allowed attackers to send a POST request without a valid CSRF token and be accepted by the server.","aliases":["CVE-2019-13594","GHSA-fgjh-x3f8-8gmh"],"modified":"2026-07-07T11:45:50.626135822Z","published":"2026-07-06T08:03:28.261194Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13594"},{"type":"WEB","url":"https://github.com/mirumee/saleor/commit/94c07034ff1bfc209461e39ca1bb6228d8ca0e35"},{"type":"WEB","url":"http://web.archive.org/web/20190713094847/https://github.com/mirumee/saleor/releases/tag/2.8.0"},{"type":"PACKAGE","url":"https://pypi.org/project/saleor"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-fgjh-x3f8-8gmh"}],"affected":[{"package":{"name":"saleor","ecosystem":"PyPI","purl":"pkg:pypi/saleor"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.7.0"},{"fixed":"2.8.0"}]}],"versions":["2.7.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/saleor/PYSEC-2026-916.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}