Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Stored XSS reachable over the network but requiring a high-privileged admin to inject (PR:H) and a victim to view the page (UI:R); scope changes across privilege boundary with high confidentiality/integrity impact and no availability effect.
Primary rating from Vendor (adobe).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
AnalysisAI
Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess a high-privileged Adobe Commerce/Magento admin account (CVSS PR:H) with the ability to write to a persistent form field, and it requires a victim to subsequently browse to the page that renders that stored field (CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.1 (High) with vector AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N - network-reachable and low complexity, but gated by two meaningful limiters: PR:H (the attacker must already hold high privileges) and UI:R (a victim must load the poisoned page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised sub-admin with content or configuration privileges injects a JavaScript payload into a stored form field (for example a product, CMS block, or webhook definition). When a higher-privileged administrator later opens the page that renders that field, the script executes in their authenticated session and can hijack their session token or perform actions as that admin. … |
| Remediation | Apply the fixes described in Adobe security bulletin APSB26-73 (https://helpx.adobe.com/security/products/magento/apsb26-73.html); the input did not include an exact fixed version number, so Patch available per vendor advisory - verify the precise patched build and any applicable quality patch (QPT) or hotfix for your version directly from that bulletin rather than assuming a version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Adobe Commerce, Commerce B2B, and Magento Open Source deployments and deploy web application firewall (WAF) rules to block common XSS payloads in form submissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Adobe Commerce
View allRemote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current u
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Inj
Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file
Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plug
Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugi
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an imprope
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44417
GHSA-4g73-5xhh-82cv