Skip to main content

Adobe Commerce CVE-2026-47994

| EUVDEUVD-2026-44413 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-14 adobe GHSA-43w8-p43r-wq5q
5.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (adobe) PRIMARY
HIGH
qualitative
NVD
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
8.7 HIGH

Network-reachable form field with low complexity, requiring a low-privileged account (PR:L) and victim interaction (UI:R); stored XSS crosses into a higher-privileged session (S:C) enabling session and account compromise (C:H/I:H) with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (adobe).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 15, 2026 - 15:37 NVD
HIGH MEDIUM
CVSS changed
Jul 15, 2026 - 15:37 NVD
8.7 (HIGH) 5.4 (MEDIUM)
Analysis Generated
Jul 14, 2026 - 20:59 vuln.today
CVE Published
Jul 14, 2026 - 19:44 nvd
HIGH 8.7

DescriptionNVD

Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

AnalysisAI

Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source lets a low-privileged authenticated attacker persist malicious JavaScript into vulnerable form fields, which then executes in a victim's browser and can escalate to account or session takeover. Because scope is changed (S:C), the injected script runs in a security context beyond the attacker's own privileges - the hallmark of admin-panel or storefront XSS crossing a trust boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Commerce/Magento account
Delivery
Inject JavaScript into vulnerable form field
Exploit
Payload stored server-side
Execution
Admin browses page rendering field
Persist
Script executes in admin session
Impact
Session hijack and account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated low-privileged account on the Adobe Commerce/Magento instance (CVSS PR:L) with the ability to write into one of the vulnerable form fields, plus victim user interaction (UI:R): a higher-privileged user must subsequently browse to the page that renders the stored value for the payload to fire. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N scores 8.7 (High): network-reachable and low-complexity, but gated by a low-privileged account (PR:L) and victim interaction (UI:R), with high confidentiality and integrity impact and a scope change reflecting compromise of a higher-privileged user such as a store administrator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user - for example a limited back-office operator or a B2B company account holder - submits a form field carrying a crafted JavaScript payload that the application stores. When a higher-privileged administrator later opens the page that renders that field, the script executes in the admin's browser and steals the session or performs actions as the admin. …
Remediation Apply the security update described in Adobe bulletin APSB26-73 (https://helpx.adobe.com/security/products/magento/apsb26-73.html) - Patch available per vendor advisory; the exact fixed versions for Adobe Commerce, Commerce B2B, Magento Open Source, and the Webhooks Plugin are enumerated there and should be applied through your deployment channel rather than an invented version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all instances running affected Adobe Commerce and Magento versions; review access logs and form submissions for indicators of stored XSS injection; temporarily restrict low-privilege user access to sensitive form fields if business operations permit. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48358 CRITICAL
10.0 Jul 14

Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current u

CVE-2021-36020 CRITICAL
9.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Inj

CVE-2026-48356 CRITICAL
9.6 Jul 14

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file

CVE-2026-47984 CRITICAL
9.1 Jul 14

Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plug

CVE-2026-47988 CRITICAL
9.1 Jul 14

Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugi

CVE-2021-36032 HIGH
8.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36044 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36030 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2026-47992 HIGH
7.2 Jul 14

SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows

CVE-2021-36042 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36041 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36040 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

Share

CVE-2026-47994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy