Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Network-reachable form field with low complexity, requiring a low-privileged account (PR:L) and victim interaction (UI:R); stored XSS crosses into a higher-privileged session (S:C) enabling session and account compromise (C:H/I:H) with no availability impact.
Primary rating from Vendor (adobe).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
AnalysisAI
Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source lets a low-privileged authenticated attacker persist malicious JavaScript into vulnerable form fields, which then executes in a victim's browser and can escalate to account or session takeover. Because scope is changed (S:C), the injected script runs in a security context beyond the attacker's own privileges - the hallmark of admin-panel or storefront XSS crossing a trust boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privileged account on the Adobe Commerce/Magento instance (CVSS PR:L) with the ability to write into one of the vulnerable form fields, plus victim user interaction (UI:R): a higher-privileged user must subsequently browse to the page that renders the stored value for the payload to fire. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N scores 8.7 (High): network-reachable and low-complexity, but gated by a low-privileged account (PR:L) and victim interaction (UI:R), with high confidentiality and integrity impact and a scope change reflecting compromise of a higher-privileged user such as a store administrator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user - for example a limited back-office operator or a B2B company account holder - submits a form field carrying a crafted JavaScript payload that the application stores. When a higher-privileged administrator later opens the page that renders that field, the script executes in the admin's browser and steals the session or performs actions as the admin. … |
| Remediation | Apply the security update described in Adobe bulletin APSB26-73 (https://helpx.adobe.com/security/products/magento/apsb26-73.html) - Patch available per vendor advisory; the exact fixed versions for Adobe Commerce, Commerce B2B, Magento Open Source, and the Webhooks Plugin are enumerated there and should be applied through your deployment channel rather than an invented version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all instances running affected Adobe Commerce and Magento versions; review access logs and form submissions for indicators of stored XSS injection; temporarily restrict low-privilege user access to sensitive form fields if business operations permit. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Commerce
View allRemote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current u
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Inj
Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file
Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plug
Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugi
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44413
GHSA-43w8-p43r-wq5q