Magento
Monthly
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.
Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 permit attackers to bypass security features and degrade data integrity and availability with no user interaction required. The vulnerability affects multiple Adobe Commerce and Magento B2B product lines, though exploitation requires specific conditions outside the attacker's direct control. No patch is currently available for this medium-severity flaw.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.
Security feature bypass in Adobe Commerce and Magento versions 2.4.4-p16 through 2.4.9-alpha3 results from improper input validation, allowing unauthenticated remote attackers to compromise the integrity of affected systems without user interaction. The vulnerability affects multiple product lines including Commerce B2B, with no patch currently available. The medium severity rating reflects limited impact scope, though the network-accessible attack vector presents a meaningful risk to exposed instances.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from improper access controls that allow attackers to bypass security features and view sensitive information without authentication or user interaction. Multiple supported versions remain vulnerable as no patch is currently available.
Improper authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow authenticated attackers to bypass security features and access restricted functionality without requiring user interaction. The vulnerability affects multiple Commerce and B2B product lines, enabling low-privileged users to gain unauthorized access to sensitive features. No patch is currently available for this issue.
Incorrect authorization in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers to bypass security controls and view sensitive data without user interaction. The vulnerability stems from improper access control checks that enable low-privileged users to access information they should not be able to view. Currently, no patch is available for affected versions.
Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.
Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.
Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from an authorization bypass flaw that allows unauthenticated attackers to view sensitive information without user interaction. The vulnerability exploits improper access controls to circumvent security protections, exposing confidential data to remote threat actors. Currently no patch is available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow unauthenticated remote attackers to bypass security features and gain unauthorized read access to sensitive data without user interaction. The vulnerability stems from improper access restrictions and could expose confidential information across affected Magento Commerce and Commerce B2B deployments. No patch is currently available to remediate this issue.
Incorrect authorization controls in Adobe Commerce 2.4.9-alpha3 through 2.4.4-p16 permit low-privileged authenticated users to bypass security features and access restricted functionality without user interaction. The vulnerability stems from improper authorization checks that fail to enforce proper access controls. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.
Denial-of-service attacks against Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 are possible through improper input validation that fails to sanitize malicious payloads. An unauthenticated remote attacker can trigger application unavailability by sending specially crafted requests without requiring user interaction. No security patch is currently available for this vulnerability.
Magento-lts versions prior to 20.16.1 expose the admin panel URL through improper handling of the X-Original-Url header in certain server configurations, allowing unauthenticated attackers to discover the administrative interface location without prior knowledge. This information disclosure weakness could facilitate follow-up attacks targeting the admin panel. The vulnerability affects Magento Community Edition long-term support installations and has been patched in version 20.16.1.
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction.
Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVSS 8.4) in form field validation that allows high-privileged attackers to inject malicious JavaScript into the application. When other high-privileged users view pages containing the injected payload, the malicious script executes in their browser context, potentially compromising confidentiality, integrity, and availability across multiple privileged accounts. The vulnerability requires high privileges to exploit but affects other high-privileged users, making it a significant concern in multi-admin environments.
A remote code execution vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Adobe Commerce versions 2.4.8 and earlier contain an improper authorization vulnerability (CWE-285) that allows unauthenticated attackers to bypass security features and gain unauthorized access to sensitive functionality. This vulnerability has a high integrity impact and can be exploited remotely without user interaction, making it a critical priority for Adobe Commerce administrators. The 8.2 CVSS score combined with the network-accessible attack vector and lack of authentication requirements indicates significant real-world risk.
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Business Logic Error vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Information Exposure vulnerability that could result in privilege escalation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields, which execute when victims visit the affected pages. Successful exploitation enables session hijacking and compromise of user confidentiality and integrity, though user interaction is required for the attack to succeed. No patch is currently available for this vulnerability.
Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 permit attackers to bypass security features and degrade data integrity and availability with no user interaction required. The vulnerability affects multiple Adobe Commerce and Magento B2B product lines, though exploitation requires specific conditions outside the attacker's direct control. No patch is currently available for this medium-severity flaw.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows privileged attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and credential theft. Exploitation requires user interaction and a high-privileged attacker account, but successful attacks compromise both confidentiality and integrity. No patch is currently available for affected versions.
Security feature bypass in Adobe Commerce and Magento versions 2.4.4-p16 through 2.4.9-alpha3 results from improper input validation, allowing unauthenticated remote attackers to compromise the integrity of affected systems without user interaction. The vulnerability affects multiple product lines including Commerce B2B, with no patch currently available. The medium severity rating reflects limited impact scope, though the network-accessible attack vector presents a meaningful risk to exposed instances.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from improper access controls that allow attackers to bypass security features and view sensitive information without authentication or user interaction. Multiple supported versions remain vulnerable as no patch is currently available.
Improper authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow authenticated attackers to bypass security features and access restricted functionality without requiring user interaction. The vulnerability affects multiple Commerce and B2B product lines, enabling low-privileged users to gain unauthorized access to sensitive features. No patch is currently available for this issue.
Incorrect authorization in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers to bypass security controls and view sensitive data without user interaction. The vulnerability stems from improper access control checks that enable low-privileged users to access information they should not be able to view. Currently, no patch is available for affected versions.
Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.
Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.
Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allows high-privileged attackers to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires attacker credentials and user interaction but could compromise session security and steal sensitive data across multiple Commerce deployments. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers, enabling session hijacking and data theft. Exploitation requires user interaction when a victim visits a page containing the compromised field. No patch is currently available.
Unauthorized data disclosure in Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 stems from an authorization bypass flaw that allows unauthenticated attackers to view sensitive information without user interaction. The vulnerability exploits improper access controls to circumvent security protections, exposing confidential data to remote threat actors. Currently no patch is available for affected versions.
Incorrect authorization controls in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 allow unauthenticated remote attackers to bypass security features and gain unauthorized read access to sensitive data without user interaction. The vulnerability stems from improper access restrictions and could expose confidential information across affected Magento Commerce and Commerce B2B deployments. No patch is currently available to remediate this issue.
Incorrect authorization controls in Adobe Commerce 2.4.9-alpha3 through 2.4.4-p16 permit low-privileged authenticated users to bypass security features and access restricted functionality without user interaction. The vulnerability stems from improper authorization checks that fail to enforce proper access controls. No patch is currently available for affected versions.
Stored XSS in Adobe Commerce versions 2.4.9-alpha3 through 2.4.4-p16 enables high-privileged attackers to inject malicious scripts into form fields, which execute in victim browsers during page visits. An attacker exploiting this vulnerability can achieve session hijacking and compromise both confidentiality and integrity, though successful exploitation requires user interaction and administrative privileges. No patch is currently available.
Denial-of-service attacks against Adobe Commerce and Magento B2B versions 2.4.4 through 2.4.9-alpha3 are possible through improper input validation that fails to sanitize malicious payloads. An unauthenticated remote attacker can trigger application unavailability by sending specially crafted requests without requiring user interaction. No security patch is currently available for this vulnerability.
Magento-lts versions prior to 20.16.1 expose the admin panel URL through improper handling of the X-Original-Url header in certain server configurations, allowing unauthenticated attackers to discover the administrative interface location without prior knowledge. This information disclosure weakness could facilitate follow-up attacks targeting the admin panel. The vulnerability affects Magento Community Edition long-term support installations and has been patched in version 20.16.1.
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction.
Adobe Commerce versions 2.4.8 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-47110, CVSS 8.4) in form field validation that allows high-privileged attackers to inject malicious JavaScript into the application. When other high-privileged users view pages containing the injected payload, the malicious script executes in their browser context, potentially compromising confidentiality, integrity, and availability across multiple privileged accounts. The vulnerability requires high privileges to exploit but affects other high-privileged users, making it a significant concern in multi-admin environments.
A remote code execution vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Adobe Commerce versions 2.4.8 and earlier contain an improper authorization vulnerability (CWE-285) that allows unauthenticated attackers to bypass security features and gain unauthorized access to sensitive functionality. This vulnerability has a high integrity impact and can be exploited remotely without user interaction, making it a critical priority for Adobe Commerce administrators. The 8.2 CVSS score combined with the network-accessible attack vector and lack of authentication requirements indicates significant real-world risk.
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Business Logic Error vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Information Exposure vulnerability that could result in privilege escalation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.