Adobe Commerce
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Adobe Commerce.
Recent Adobe Commerce Security Advisories
| Advisory | Title | Published |
|---|---|---|
| APSB26-05 | Security Updates Available for Adobe Commerce | APSB26-05 | March 10, 2026 |
| APSB25-94 | Security Updates Available for Adobe Commerce | APSB25-94 | October 14, 2025 |
| APSB25-88 | Security Updates Available for Adobe Commerce | APSB25-88 | September 9, 2025 |
| APSB25-71 | Security Updates Available for Adobe Commerce | APSB25-71 | August 12, 2025 |
| APSB25-50 | Security Updates Available for Adobe Commerce | APSB25-50 | June 10, 2025 |
| APSB25-26 | Security Updates Available for Adobe Commerce | APSB25-26 | April 8, 2025 |
| APSB25-08 | Security Updates Available for Adobe Commerce | APSB25-08 | February 11, 2025 |
| APSB24-90 | Security Updates Available for Adobe Commerce | APSB24-90 | November 12, 2024 |
| APSB24-73 | Security Updates Available for Adobe Commerce | APSB24-73 | October 8, 2024 |
| APSB24-61 | Security Updates Available for Adobe Commerce | APSB24-61 | August 14, 2024 |
By the Year
In 2026 there have been 19 vulnerabilities in Adobe Commerce with an average score of 5.9 out of ten. Last year, in 2025 Adobe Commerce had 53 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Adobe Commerce in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.56
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 19 | 5.92 |
| 2025 | 53 | 6.48 |
| 2024 | 49 | 5.49 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 7.55 |
| 2021 | 23 | 7.17 |
It may take a day or so for new Adobe Commerce vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe Commerce Security Vulnerabilities
Adobe Commerce 2.4.x XSS in Stored Form Fields
CVE-2026-21291
4.8 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
XSS
Adobe Commerce SSRF Bypass 2.4.x
CVE-2026-21293
5.5 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and access unauthorized resources. Exploitation of this issue does not require user interaction.
SSRF
Improper Input Validation in Adobe Commerce 2.4.9-alpha3 & prior leads to DoS
CVE-2026-21282
5.3 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing limited impact to application availability. Exploitation of this issue does not require user interaction.
Improper Input Validation
Adobe Commerce <=2.4.9-alpha3: Auth Bypass via Incorrect Authorization
CVE-2026-21286
5.3 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce SSRF before 2.4.9-a3 & 2.4.8-p3 (Security bypass)
CVE-2026-21294
5.5 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and bypass security controls. Exploitation of this issue does not require user interaction.
SSRF
Adobe Commerce 2.4.x Incorrect Auth: Security Feature Bypass (CVE-2026-21297)
CVE-2026-21297
4.3 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce <2.4.9-alpha3 XSS Vulnerability
CVE-2026-21284
8.1 - High
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
XSS
Adobe Commerce Incorrect Auth 2.4.9-alpha32.4.4-p16
CVE-2026-21359
4.7 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce 2.4.x Auth Bypass (Security Feature Exemption)
CVE-2026-21309
7.5 - High
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce XSS in Form Fields v2.4.9-alpha3 & Earlier
CVE-2026-21292
5.4 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
XSS
Adobe Commerce Improper Input Validation, pre-2.4.9-alpha3
CVE-2026-21310
5.3 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, with limited impact to integrity. Exploitation of this issue does not require user interaction.
Improper Input Validation
Adobe Commerce v2.4.x Incorrect Auth Bypass (Before 2.4.9-alpha3)
CVE-2026-21285
4.3 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce XSS in form fields pre-2.4.9 enables session hijack
CVE-2026-21290
8.7 - High
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
XSS
Adobe Commerce <=2.4.93: Incorrect Auth Bypass (SECAUTH)
CVE-2026-21289
7.5 - High
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce 2.4.x Stored XSS before 2.4.9-alpha3 (CVE-2026-21361)
CVE-2026-21361
8.1 - High
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
XSS
Adobe Commerce 2.4.5-P15 & earlier Path Traversal (2.4.9alpha3)
CVE-2026-21360
6.8 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restricted path. Exploitation of this issue does not require user interaction.
Directory traversal
Adobe Commerce 2.4.9-alpha3 Incorrect Auth Bypass (Security Feature)
CVE-2026-21296
4.3 - Medium
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce <2.4.9 stored XSS in form fields
CVE-2026-21311
8 - High
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
XSS
Adobe Commerce 2.4.9-alpha3 & earlier: Open Redirect Vulnerability
CVE-2026-21295
3.1 - Low
- March 11, 2026
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.
Open Redirect
Adobe Commerce 2.4.9-alpha2 and earlier: Incorrect Authorization (Bypass Auth)
CVE-2025-54267
6.5 - Medium
- October 14, 2025
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce CrossSite Scripting (XSS) in form fields (v2.4.*)
CVE-2025-54266
4.8 - Medium
- October 14, 2025
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
XSS
Adobe Commerce 2.4.9-alpha2 and earlier: Incorrect Auth Bypass
CVE-2025-54263
8.1 - High
- October 14, 2025
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce <= 2.4.9-alpha2 Incorrect Auth bypass (read access)
CVE-2025-54265
5.9 - Medium
- October 14, 2025
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce XSS in form fields before 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7
CVE-2025-54264
8.1 - High
- October 14, 2025
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
XSS
Adobe Commerce Improper Input Validation (Session Takeover) 2.4.9alpha2 & prior
CVE-2025-54236
9.1 - Critical
- September 09, 2025
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Improper Input Validation
Adobe Commerce Path Traversal RCE before 2.4.9-alpha1
CVE-2025-49559
5.3 - Medium
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.
Directory traversal
Adobe Commerce <=2.4.9-alpha1 RCE via TOCTOU Race Condition
CVE-2025-49558
5.9 - Medium
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a resource's state and its use, allowing unauthorized write access. Exploitation of this issue does not require user interaction.
TOCTTOU
Adobe Commerce <=2.4.9 XSS in form fields (CVE-2025-49557)
CVE-2025-49557
5.4 - Medium
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
XSS
Adobe Commerce <=2.4.9-alpha1 Auth Bypass (Incorrect Auth)
CVE-2025-49556
7.5 - High
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.
AuthZ
Adobe Commerce <2.4.9: PrivEsc via CSRF
CVE-2025-49555
8.1 - High
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially allowing unauthorized access or modification of sensitive data. Exploitation of this issue requires user interaction in that a victim must visit a malicious website or click on a crafted link. Scope is changed.
Session Riding
Adobe Commerce Improper Input Validation (DDoS) before 2.4.9-alpha1
CVE-2025-49554
7.5 - High
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require user interaction.
Improper Input Validation
Adobe Commerce Improper Auth Bypass before 2.4.8
CVE-2025-43585
8.2 - High
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce XSS in form fields, affected 2.4.8 and earlier
CVE-2025-47110
8.4 - High
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Scope is changed to that of other high-privileged accounts, leading to a high impact on confidentiality, integrity, and availability.
XSS
Adobe Commerce Improper Access Control Bypass in 2.4.8+ Grants Write Access
CVE-2025-27206
5.3 - Medium
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce Improper Access Control before 2.4.9 allows privilege escalation
CVE-2025-43586
8.1 - High
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized elevated access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce Improper Access Control allows privilege escalation pre-2.4.9
CVE-2025-27207
6.5 - Medium
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce 2.4.7-p4 and earlier Insufficiently Protected Credentials
CVE-2025-27192
2.7 - Low
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction.
Insufficiently Protected Credentials
Adobe Commerce <2.4.8-beta2 Improper Access Control (Security Feature Bypass)
CVE-2025-27191
5.3 - Medium
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce 2.4.7-p4 Improper AC Bypass (CVE-2025-27190)
CVE-2025-27190
5.3 - Medium
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
Authorization
CSRF Causing DoS in Adobe Commerce 2.4.7-p4 & Earlier
CVE-2025-27189
4.3 - Medium
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could be exploited to cause a denial-of-service condition. An attacker could trick a logged-in user into submitting a forged request to the vulnerable application, which may disrupt service availability. Exploitation of this issue requires user interaction, typically in the form of clicking a malicious link or visiting an attacker-controlled website.
Session Riding
Adobe Commerce <= 2.4.8-beta2 Improper Authorization: Priv Escalation
CVE-2025-27188
4.3 - Medium
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce <2.4.8-beta1: Stored XSS in form fields
CVE-2025-24412
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce 2.4.8-beta1 Incorrect Auth Bypass Allows Data Mod
CVE-2025-24420
4.3 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to modify select data. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce <2.5 Incorrect Auth Bypass (2.4.x)
CVE-2025-24419
4.3 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to modify select data. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce Improper Auth Enables Priv Esc (2.4.8-beta1)
CVE-2025-24418
8.1 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce Stored XSS before v2.4.8-beta1, 2.4.7-p3, 2.4.6-p8
CVE-2025-24417
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce XSS in Form Fields (v2.4.8-beta1) Session Takeover Risk
CVE-2025-24416
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce 2.4.8-beta1 Stored XSS in form fields
CVE-2025-24415
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce 2.4.8-2.4.4 Info Exposure Priv Esc
CVE-2025-24408
6.5 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Information Exposure vulnerability that could result in privilege escalation. A low-privileged attacker could gain unauthorized access to sensitive information. Exploitation of this issue does not require user interaction.
Information Disclosure
Adobe Commerce XSS in Form Fields ( 2.4.8beta1) CVE202524410
CVE-2025-24410
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Adobe Commerce or by Adobe? Click the Watch button to subscribe.
