How to fix CVE-2025-27400?

During next maintenance window: Apply vendor patches when convenient. Verify cross-site scripting controls are in place.

Is Adobe affected by CVE-2025-27400?

CVE-2025-27400 is a low-severity vulnerability involving cross-site scripting (CVSS 2.9). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. Apply vendor updates when available as part of routine maintenance.

CVE-2025-27400

LOW

2025-02-28 [email protected]

2.9

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:29 vuln.today

CVE Published

Feb 28, 2025 - 16:15 nvd

LOW 2.9

Description

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Versions prior to 20.12.3 and 20.13.0 contain a vulnerability that allows script execution in the admin panel which could lead to cross-site scripting against authenticated admin users. The attack requires an admin user with configuration access, so in practicality it is not very likely to be useful given that a user with this level of access is probably already a full admin. Versions 20.12.3 and 20.13.0 contain a patch for the issue.

Analysis

Technical Context

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Versions prior to 20.12.3 and 20.13.0 contain a vulnerability that allows script execution in the admin panel which could lead to cross-site scripting against authenticated admin users. The attack requires an admin user with configuration access, so in practicality it is not very likely to be useful given that a user with this level of access is probably already a full admin. Versions 20.12.3 and 20.13.0 contain a patch for the issue. Version information: prior to 20.12.3.

Affected Products

See vendor advisory for affected versions.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +14

POC: 0

CVE-2025-27400 vulnerability details – vuln.today

Back

CVE-2025-27400

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-27400

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code