Skip to main content

Adobe Commerce CVE-2026-47995

| EUVDEUVD-2026-44417 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-14 adobe GHSA-4g73-5xhh-82cv
4.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (adobe) PRIMARY
HIGH
qualitative
NVD
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
8.1 HIGH

Stored XSS reachable over the network but requiring a high-privileged admin to inject (PR:H) and a victim to view the page (UI:R); scope changes across privilege boundary with high confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (adobe).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 15, 2026 - 14:37 NVD
HIGH MEDIUM
CVSS changed
Jul 15, 2026 - 14:37 NVD
8.1 (HIGH) 4.8 (MEDIUM)
Analysis Generated
Jul 14, 2026 - 20:58 vuln.today
CVE Published
Jul 14, 2026 - 19:44 nvd
HIGH 8.1

DescriptionNVD

Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.

AnalysisAI

Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as high-privileged admin
Delivery
Inject JavaScript into stored form field
Exploit
Payload persisted server-side
Execution
Victim admin views affected page
Persist
Script executes in victim session
Impact
Hijack session or account control

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess a high-privileged Adobe Commerce/Magento admin account (CVSS PR:H) with the ability to write to a persistent form field, and it requires a victim to subsequently browse to the page that renders that stored field (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.1 (High) with vector AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N - network-reachable and low complexity, but gated by two meaningful limiters: PR:H (the attacker must already hold high privileges) and UI:R (a victim must load the poisoned page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised sub-admin with content or configuration privileges injects a JavaScript payload into a stored form field (for example a product, CMS block, or webhook definition). When a higher-privileged administrator later opens the page that renders that field, the script executes in their authenticated session and can hijack their session token or perform actions as that admin. …
Remediation Apply the fixes described in Adobe security bulletin APSB26-73 (https://helpx.adobe.com/security/products/magento/apsb26-73.html); the input did not include an exact fixed version number, so Patch available per vendor advisory - verify the precise patched build and any applicable quality patch (QPT) or hotfix for your version directly from that bulletin rather than assuming a version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Adobe Commerce, Commerce B2B, and Magento Open Source deployments and deploy web application firewall (WAF) rules to block common XSS payloads in form submissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-48358 CRITICAL
10.0 Jul 14

Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current u

CVE-2021-36020 CRITICAL
9.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Inj

CVE-2026-48356 CRITICAL
9.6 Jul 14

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file

CVE-2026-47984 CRITICAL
9.1 Jul 14

Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plug

CVE-2026-47988 CRITICAL
9.1 Jul 14

Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugi

CVE-2021-36032 HIGH
8.8 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36044 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36030 HIGH
7.5 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2026-47992 HIGH
7.2 Jul 14

SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows

CVE-2021-36042 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36041 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

CVE-2021-36040 HIGH
7.2 Sep 01

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope

Share

CVE-2026-47995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy