I just created a total new instance of Nop4.4 with a void database.
Then I created a product with "<script>alert("🏴☠️Just Hacked by XSS🏴☠️");</script>" in short description and enabled the "Show on home page" checkbox.
Then for every user that goes on the homepage, the script starts running.
That also works with an Excel import.
Is it a real security issue or not ?