Skip to main content

Magento Open Source

45 CVEs product

Monthly

CVE-2026-47984 CRITICAL Act Now

Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plugin allows a remote unauthenticated attacker (PR:N/UI:N) to circumvent authorization checks and obtain unauthorized read and write access to protected resources. Rooted in an incorrect authorization flaw (CWE-863), it carries a critical 9.1 CVSS with high confidentiality and integrity impact and requires no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, no-privilege profile on a high-value e-commerce platform makes it a strong patch priority.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-47997 MEDIUM This Month

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2026-47988 CRITICAL Act Now

Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows remote unauthenticated attackers to bypass security controls and obtain unauthorized read and write access to protected data or functionality. The flaw carries a CVSS 9.1 rating, requires no user interaction, and per the CVSS vector needs no privileges (PR:N). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, unauthenticated nature makes it high priority for internet-facing storefronts.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-47999 MEDIUM This Month

Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
4.8
EPSS
11.5%
CVE-2026-48358 CRITICAL Act Now

Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis.

RCE Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-48356 CRITICAL Act Now

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical.

File Upload RCE Adobe Adobe Commerce Adobe Commerce B2B +2
NVD
CVSS 3.1
9.6
EPSS
28.3%
CVE-2026-47998 MEDIUM This Month

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
5.9
EPSS
0.6%
CVE-2026-48000 MEDIUM This Month

Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.

Open Redirect Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2026-47995 MEDIUM This Month

Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. No public exploit identified at time of analysis; remediated in Adobe security bulletin APSB26-73.

XSS Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD VulDB
CVSS 3.1
4.8
EPSS
0.7%
CVE-2026-48001 LOW Monitor

Adobe Commerce is affected by an Information Exposure vulnerability that could lead to a limited disclosure of sensitive information. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Adobe Information Disclosure Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
3.7
EPSS
0.6%
CVE-2026-48371 MEDIUM This Month

Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-47996 MEDIUM This Month

Security feature bypass in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks plugin allows a high-privileged, authenticated attacker to defeat an authorization check (CWE-863) and gain unauthorized read access to data that should be restricted. The flaw is network-reachable with low complexity, requires no user interaction, and changes scope, so the exposure can reach beyond the initially vulnerable component. There is no public exploit identified at time of analysis and no CISA KEV listing, making exploitation currently theoretical rather than observed.

Authentication Bypass Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD
CVSS 3.1
6.8
EPSS
18.5%
CVE-2026-47994 MEDIUM This Month

Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source lets a low-privileged authenticated attacker persist malicious JavaScript into vulnerable form fields, which then executes in a victim's browser and can escalate to account or session takeover. Because scope is changed (S:C), the injected script runs in a security context beyond the attacker's own privileges - the hallmark of admin-panel or storefront XSS crossing a trust boundary. No public exploit identified at time of analysis, but the 8.7 CVSS and account-takeover impact make this a meaningful priority for e-commerce operators running the affected platforms.

XSS Adobe Adobe Commerce Adobe Commerce B2B Magento Open Source +1
NVD VulDB
CVSS 3.1
5.4
EPSS
0.9%
CVE-2026-47992 HIGH This Week

SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows a high-privileged authenticated attacker to inject malicious SQL that can escalate to arbitrary code execution in the context of the current user, enabling account/session takeover. The flaw (CWE-89) is network-reachable and requires no user interaction, but demands existing high privileges per the CVSS PR:H metric. No public exploit is identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

SQLi RCE Adobe Adobe Commerce Adobe Commerce B2B +2
NVD VulDB
CVSS 3.1
7.2
EPSS
19.6%
CVE-2023-22251 PHP MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Adobe Information Disclosure Authentication Bypass Commerce Magento Open Source
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2023-22250 PHP MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Authentication Bypass Commerce Magento Open Source
NVD
CVSS 3.1
5.3
EPSS
1.0%
CVE-2023-22249 PHP MEDIUM This Month

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Adobe XSS Commerce Magento Open Source
NVD
CVSS 3.1
4.8
EPSS
57.4%
CVE-2023-22247 PHP HIGH PATCH This Week

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Code Injection Commerce Magento Open Source
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-35698 PHP MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Adobe Commerce Magento Open Source
NVD
CVSS 3.1
5.4
EPSS
9.7%
CVE-2022-35689 PHP MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Adobe Commerce Magento Open Source
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-39864 PHP MEDIUM PATCH This Month

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Adobe Commerce Magento Open Source
NVD
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-36044 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2021-36043 PHP MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Redis RCE SSRF Adobe Adobe Commerce +1
NVD
CVSS 3.1
6.6
EPSS
1.9%
CVE-2021-36042 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.5%
CVE-2021-36041 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.4%
CVE-2021-36040 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.9%
CVE-2021-36039 PHP MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Adobe Authentication Bypass Adobe Commerce Magento Open Source
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-36038 PHP MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
6.5
EPSS
1.8%
CVE-2021-36037 PHP MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Adobe Information Disclosure Authentication Bypass Adobe Commerce Magento Open Source
NVD
CVSS 3.1
6.5
EPSS
1.8%
CVE-2021-36035 HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.8%
CVE-2021-36034 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.4%
CVE-2021-36033 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
3.1%
CVE-2021-36032 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Information Disclosure Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2021-36031 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Path Traversal Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
3.1%
CVE-2021-36030 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-36029 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Adobe RCE Authentication Bypass Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.5%
CVE-2021-36028 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.9%
CVE-2021-36027 PHP MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2021-36026 PHP MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
6.1
EPSS
1.7%
CVE-2021-36025 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.8%
CVE-2021-36024 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Command Injection Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
2.9%
CVE-2021-36022 PHP HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Command Injection Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
7.2
EPSS
3.4%
CVE-2021-36020 PHP CRITICAL PATCH Act Now

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
9.8
EPSS
2.7%
CVE-2021-36012 PHP MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Adobe Adobe Commerce Magento Open Source
NVD
CVSS 3.1
6.5
EPSS
1.8%
CVE-2021-21012 MEDIUM This Month

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Information Disclosure Authentication Bypass Magento Commerce Magento Open Source
NVD
CVSS 3.0
5.3
EPSS
4.0%
EPSS 1% CVSS 9.1
CRITICAL Act Now

Security feature bypass in Adobe Commerce, Magento Open Source, Adobe Commerce B2B, and the Adobe Commerce Webhooks Plugin allows a remote unauthenticated attacker (PR:N/UI:N) to circumvent authorization checks and obtain unauthorized read and write access to protected resources. Rooted in an incorrect authorization flaw (CWE-863), it carries a critical 9.1 CVSS with high confidentiality and integrity impact and requires no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, no-privilege profile on a high-value e-commerce platform makes it a strong patch priority.

Authentication Bypass Adobe Adobe Commerce +3
NVD VulDB
EPSS 1% CVSS 5.9
MEDIUM This Month

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe Adobe Commerce +3
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Improper authorization in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows remote unauthenticated attackers to bypass security controls and obtain unauthorized read and write access to protected data or functionality. The flaw carries a CVSS 9.1 rating, requires no user interaction, and per the CVSS vector needs no privileges (PR:N). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, unauthenticated nature makes it high priority for internet-facing storefronts.

Authentication Bypass Adobe Adobe Commerce +3
NVD VulDB
EPSS 12% CVSS 4.8
MEDIUM This Month

Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Commerce +3
NVD
EPSS 1% CVSS 10.0
CRITICAL Act Now

Remote code execution in Adobe Commerce (Magento) allows attackers to run arbitrary code in the context of the current user through an improper output encoding/escaping flaw (CWE-116), scored CVSS 10.0 with a changed scope. It affects Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin across a wide range of versions up to 2.4.9 (and B2B up to 1.5.3). Exploitation requires no user interaction; per CVSS PR:N it is unauthenticated, though SSVC rates it as not automatable and there is no public exploit identified at time of analysis.

RCE Adobe Adobe Commerce +3
NVD
EPSS 28% CVSS 9.6
CRITICAL Act Now

Arbitrary code execution in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source stems from an unrestricted file upload (CWE-434) that runs in the context of the current user, letting an attacker inject malicious scripts and hijack a victim's account or session. Exploitation is network-reachable and marked unauthenticated by the CVSS vector but requires the victim to visit a crafted URL or interact with a compromised page, and the scope is changed (impact extends beyond the vulnerable component). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; Adobe rates it CVSS 9.6 critical.

File Upload RCE Adobe +4
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Authentication Bypass Adobe Adobe Commerce +3
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Adobe Commerce is affected by an Improper Redirect (Open Redirect) vulnerability that could result in a Security feature bypass. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site, potentially enabling credential theft and account takeover. Exploitation of this issue requires user interaction in that a victim must click on a malicious link.

Open Redirect Adobe Adobe Commerce +3
NVD
EPSS 1% CVSS 4.8
MEDIUM This Month

Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin lets a high-privileged authenticated attacker persist malicious JavaScript in form fields that executes in a victim's browser when the affected page is viewed. Because CVSS scope is changed and the payload runs in the victim's authenticated context, an attacker can escalate to takeover of a higher-privileged admin session or account. No public exploit identified at time of analysis; remediated in Adobe security bulletin APSB26-73.

XSS Adobe Adobe Commerce +3
NVD VulDB
EPSS 1% CVSS 3.7
LOW Monitor

Adobe Commerce is affected by an Information Exposure vulnerability that could lead to a limited disclosure of sensitive information. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.

Adobe Information Disclosure Adobe Commerce +3
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Adobe Commerce is affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.

XSS Adobe Adobe Commerce +3
NVD
EPSS 19% CVSS 6.8
MEDIUM This Month

Security feature bypass in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks plugin allows a high-privileged, authenticated attacker to defeat an authorization check (CWE-863) and gain unauthorized read access to data that should be restricted. The flaw is network-reachable with low complexity, requires no user interaction, and changes scope, so the exposure can reach beyond the initially vulnerable component. There is no public exploit identified at time of analysis and no CISA KEV listing, making exploitation currently theoretical rather than observed.

Authentication Bypass Adobe Adobe Commerce +3
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Stored cross-site scripting in Adobe Commerce, Adobe Commerce B2B, and Magento Open Source lets a low-privileged authenticated attacker persist malicious JavaScript into vulnerable form fields, which then executes in a victim's browser and can escalate to account or session takeover. Because scope is changed (S:C), the injected script runs in a security context beyond the attacker's own privileges - the hallmark of admin-panel or storefront XSS crossing a trust boundary. No public exploit identified at time of analysis, but the 8.7 CVSS and account-takeover impact make this a meaningful priority for e-commerce operators running the affected platforms.

XSS Adobe Adobe Commerce +3
NVD VulDB
EPSS 20% CVSS 7.2
HIGH This Week

SQL injection in Adobe Commerce, Adobe Commerce B2B, Magento Open Source, and the Adobe Commerce Webhooks Plugin allows a high-privileged authenticated attacker to inject malicious SQL that can escalate to arbitrary code execution in the context of the current user, enabling account/session takeover. The flaw (CWE-89) is network-reachable and requires no user interaction, but demands existing high privileges per the CVSS PR:H metric. No public exploit is identified at time of analysis and it is not listed in CISA KEV; EPSS was not provided.

SQLi RCE Adobe +4
NVD VulDB
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Adobe Information Disclosure Authentication Bypass +2
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Authentication Bypass Commerce +1
NVD
EPSS 57% CVSS 4.8
MEDIUM This Month

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Adobe XSS Commerce +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Code Injection Commerce +1
NVD
EPSS 10% CVSS 5.4
MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Adobe +2
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Adobe Commerce versions 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Adobe Commerce +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Adobe Commerce +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 6.6
MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Redis RCE SSRF +3
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE File Upload Adobe +2
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Adobe Authentication Bypass Adobe Commerce +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Adobe Information Disclosure Authentication Bypass +2
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Information Disclosure Adobe +2
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Path Traversal Adobe +2
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper improper authorization vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Adobe RCE Authentication Bypass +2
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Adobe Adobe Commerce +1
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Command Injection Adobe +2
NVD
EPSS 3% CVSS 7.2
HIGH PATCH This Week

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Command Injection Adobe +2
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Adobe Adobe Commerce +1
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Adobe Adobe Commerce +1
NVD
EPSS 4% CVSS 5.3
MEDIUM This Month

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Adobe Information Disclosure Authentication Bypass +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy