Adobe Magento
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Adobe Magento.
Recent Adobe Magento Security Advisories
| Advisory | Title | Published |
|---|---|---|
| APSB22-48 | Security Updates Available for Magento | APSB21-08 APSB22-48 | August 22, 2022 |
| APSB22-38 | Security Updates Available for Magento | APSB21-08 APSB22-38 | August 9, 2022 |
| APSB22-13 | Security Updates Available for Magento | APSB21-08 APSB22-13 | April 13, 2022 |
| APSB22-12 | Security Updates Available for Magento | APSB21-08 APSB22-12 | February 13, 2022 |
| APSB21-86 | Security Updates Available for Magento | APSB21-08 APSB21-86 | October 12, 2021 |
| APSB21-64 | Security Updates Available for Magento | APSB21-08 APSB21-64 | August 11, 2021 |
| APSB21-30 | Security Updates Available for Magento | APSB21-08 APSB21-30 | May 11, 2021 |
| APSB21-08 | Security Updates Available for Magento | APSB21-08 | February 9, 2021 |
| APSB20-41 | Security Updates Available for Magento | APSB20-41 | June 22, 2020 |
| APSB20-22 | Security Updates Available for Magento | APSB20-22 | April 28, 2020 |
EOL Dates
Ensure that you are using a supported version of Adobe Magento. Here are some end of life, and end of support dates for Adobe Magento.
| Release | EOL Date | Status |
|---|---|---|
| 2.4.8 | - |
Active
|
| 2.4.7 | - |
Active
|
| 2.4.6 | - |
Active
|
| 2.4.5 | November 25, 2024 |
EOL
Adobe Magento 2.4.5 became EOL in 2024 and the extended support period ended in 2025. |
| 2.4.4 | November 25, 2024 |
EOL
Adobe Magento 2.4.4 became EOL in 2024 and the extended support period ended in 2025. |
| 2.4.3 | November 28, 2022 |
EOL
Adobe Magento 2.4.3 became EOL in 2022 and supported ended in 2022 |
| 2.4.2 | November 28, 2022 |
EOL
Adobe Magento 2.4.2 became EOL in 2022 and supported ended in 2022 |
| 2.4.1 | November 28, 2022 |
EOL
Adobe Magento 2.4.1 became EOL in 2022 and supported ended in 2022 |
| 2.4.0 | November 28, 2022 |
EOL
Adobe Magento 2.4.0 became EOL in 2022 and supported ended in 2022 |
| 2.3 | September 30, 2022 |
EOL
Adobe Magento 2.3 became EOL in 2022 and supported ended in 2022 |
| 2.2 | December 1, 2019 |
EOL
Adobe Magento 2.2 became EOL in 2019 and supported ended in 2019 |
| 2.1 | June 1, 2019 |
EOL
Adobe Magento 2.1 became EOL in 2019 and supported ended in 2019 |
| 2.0 | March 1, 2018 |
EOL
Adobe Magento 2.0 became EOL in 2018 and supported ended in 2018 |
| 1.9 | June 1, 2020 |
EOL
Adobe Magento 1.9 became EOL in 2020 and supported ended in 2020 |
| 1.8 | June 1, 2020 |
EOL
Adobe Magento 1.8 became EOL in 2020 and supported ended in 2014 |
| 1.7 | June 1, 2020 |
EOL
Adobe Magento 1.7 became EOL in 2020 and supported ended in 2013 |
| 1.6 | June 1, 2020 |
EOL
Adobe Magento 1.6 became EOL in 2020 and supported ended in 2012 |
| 1.5 | June 1, 2020 |
EOL
Adobe Magento 1.5 became EOL in 2020 and supported ended in 2012 |
| 1.4 | February 1, 2012 |
EOL
Adobe Magento 1.4 became EOL in 2012 and supported ended in 2011 |
| 1.3 | March 1, 2011 |
EOL
Adobe Magento 1.3 became EOL in 2011 and supported ended in 2010 |
By the Year
In 2025 there have been 40 vulnerabilities in Adobe Magento with an average score of 6.4 out of ten. Last year, in 2024 Magento had 58 security vulnerabilities published. Right now, Magento is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.45.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 40 | 6.39 |
| 2024 | 58 | 5.94 |
| 2023 | 21 | 5.87 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 8.10 |
| 2020 | 1 | 8.10 |
It may take a day or so for new Magento vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Adobe Magento Security Vulnerabilities
Adobe Commerce <= 2.4.9-alpha2 Incorrect Auth bypass (read access)
CVE-2025-54265
5.9 - Medium
- October 14, 2025
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce Improper Input Validation (DDoS) before 2.4.9-alpha1
CVE-2025-49554
7.5 - High
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require user interaction.
Improper Input Validation
Adobe Commerce <2.4.9: PrivEsc via CSRF
CVE-2025-49555
8.1 - High
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially allowing unauthorized access or modification of sensitive data. Exploitation of this issue requires user interaction in that a victim must visit a malicious website or click on a crafted link. Scope is changed.
Session Riding
Adobe Commerce <=2.4.9-alpha1 Auth Bypass (Incorrect Auth)
CVE-2025-49556
7.5 - High
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.
AuthZ
Adobe Commerce <=2.4.9 XSS in form fields (CVE-2025-49557)
CVE-2025-49557
5.4 - Medium
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
XSS
Adobe Commerce <=2.4.9-alpha1 RCE via TOCTOU Race Condition
CVE-2025-49558
5.9 - Medium
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a resource's state and its use, allowing unauthorized write access. Exploitation of this issue does not require user interaction.
TOCTTOU
Adobe Commerce Path Traversal RCE before 2.4.9-alpha1
CVE-2025-49559
5.3 - Medium
- August 12, 2025
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.
Directory traversal
Adobe Commerce Incorrect Auth Bypass v2.4.8 and Prior
CVE-2025-49549
2.7 - Low
- June 25, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce Incorrect Auth Vulnerability (CVE-2025-49550) – <2.5
CVE-2025-49550
4.3 - Medium
- June 25, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction.
AuthZ
Adobe Commerce Improper Access Control Bypass in 2.4.8+ Grants Write Access
CVE-2025-27206
5.3 - Medium
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce Improper Auth Bypass before 2.4.8
CVE-2025-43585
8.2 - High
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce Improper Access Control before 2.4.9 allows privilege escalation
CVE-2025-43586
8.1 - High
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized elevated access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce XSS in form fields, affected 2.4.8 and earlier
CVE-2025-47110
8.4 - High
- June 10, 2025
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. Scope is changed to that of other high-privileged accounts, leading to a high impact on confidentiality, integrity, and availability.
XSS
Adobe Commerce 2.4.7-p4 Improper AC Bypass (CVE-2025-27190)
CVE-2025-27190
5.3 - Medium
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce <2.4.8-beta2 Improper Access Control (Security Feature Bypass)
CVE-2025-27191
5.3 - Medium
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce 2.4.7-p4 and earlier Insufficiently Protected Credentials
CVE-2025-27192
2.7 - Low
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction.
Insufficiently Protected Credentials
Adobe Commerce <= 2.4.8-beta2 Improper Authorization: Priv Escalation
CVE-2025-27188
4.3 - Medium
- April 08, 2025
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce Improper Access Control Bypass v2.4.8-beta1 & Earlier
CVE-2025-24411
8.1 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access affecting Confidentiality and Integrity. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce Stored XSS in Form Fields (v2.4.8-beta1&below)
CVE-2025-24438
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce Incorrect Auth (CVE202524437) v2.4.4p11 to 2.4.81
CVE-2025-24437
5.4 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view or modify select information. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce 2.4.7-p3 AuthB Bypass Allows LowPriv Info Access
CVE-2025-24436
4.3 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view select information. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce Improper Access Control v2.4.8-beta1/v2.4.7-p3 Priv Escalation
CVE-2025-24435
4.3 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to modify limited fields. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce <= 2.4.8-beta1 Incorrect Auth. + Priv Esc
CVE-2025-24434
9.1 - Critical
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AuthZ
Adobe Commerce 2.4.8-2.4.4 TOCTOU Race Condition Bypass Rate Limiting
CVE-2025-24432
3.7 - Low
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing rate limiting mechanisms. Exploitation of this issue does not require user interaction.
TOCTTOU
Adobe Commerce TOCTOU Race in 2.4.8-beta1-2.4.4-p11 Bypass Rate Limiting
CVE-2025-24430
3.7 - Low
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing rate limiting mechanisms. Exploitation of this issue does not require user interaction.
TOCTTOU
Adobe Commerce <=2.4.8 Improper Access Control read-only bypass
CVE-2025-24429
3.5 - Low
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass allowing read only access. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.
Authorization
Adobe Commerce Stored XSS in Form Fields (v2.4.8-beta1 and earlier)
CVE-2025-24428
5.4 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
XSS
Adobe Commerce <2.4.4-P11 Path Traversal: Unauth File Mod
CVE-2025-24406
7.5 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.
Directory traversal
Adobe Commerce <2.4.8-beta1: Stored XSS in form fields
CVE-2025-24412
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce IA Control Bypass (2.4.x) Low-Priv Write Access
CVE-2025-24427
6.5 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce 2.4.8-2.4.4 Info Exposure Priv Esc
CVE-2025-24408
6.5 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Information Exposure vulnerability that could result in privilege escalation. A low-privileged attacker could gain unauthorized access to sensitive information. Exploitation of this issue does not require user interaction.
Information Disclosure
Adobe Commerce 2.4.x: Incorrect Auth Bypass (CVE-2025-24409)
CVE-2025-24409
8.2 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both a High impact to confidentiality and Low impact to integrity. Exploitation of this issue does not require user interaction.
AuthZ
Adobe Commerce XSS in Form Fields ( 2.4.8beta1) CVE202524410
CVE-2025-24410
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce XSS in form fields 2.4.8-beta1 and earlier
CVE-2025-24413
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Stored XSS in Adobe Commerce 2.4.8-beta1 & earlier
CVE-2025-24414
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce XSS in Form Fields (v2.4.8-beta1) Session Takeover Risk
CVE-2025-24416
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce Stored XSS before v2.4.8-beta1, 2.4.7-p3, 2.4.6-p8
CVE-2025-24417
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce <2.4.8-beta1 Auth Bypass (Incorrect Auth) Read Data
CVE-2025-24421
4.3 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to read select data. Exploitation of this issue does not require user interaction
AuthZ
Adobe Commerce Security Feature Bypass via Business Logic (<= 2.4.8-beta1)
CVE-2025-24425
5.3 - Medium
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Business Logic Error vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to circumvent intended security mechanisms by manipulating the logic of the application's operations causing limited data modification. Exploitation of this issue does not require user interaction.
Business Logic Errors
Adobe Commerce 2.4.8-beta1 Stored XSS in form fields
CVE-2025-24415
8.7 - High
- February 11, 2025
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
XSS
Adobe Commerce 3.2.5- SSRF: Security Feature Bypass
CVE-2024-49521
7.7 - High
- November 12, 2024
Adobe Commerce versions 3.2.5 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to a security feature bypass. A low privileged attacker could exploit this vulnerability to send crafted requests from the vulnerable server to internal systems, which could result in the bypassing of security measures such as firewalls. Exploitation of this issue does not require user interaction.
SSRF
Adobe Commerce 2.4.7-p2: InfoEx Bypass in Admin Panel
CVE-2024-45134
2.7 - Low
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user interaction.
Information Disclosure
Improper Access Control in Adobe Commerce <2.4.7-p2 (Security Feature Bypass)
CVE-2024-45135
2.7 - Low
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An admin attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce Improper Auth in 2.4.7 and earlier (feature bypass)
CVE-2024-45148
8.8 - High
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to gain unauthorized access without proper credentials. Exploitation of this issue does not require user interaction.
authentification
Adobe Commerce 2.4.7-p2 Improper Access Control (SFB)
CVE-2024-45149
2.7 - Low
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce <=2.4.7 Improper Input Validation Enables File Read
CVE-2024-45117
7.6 - High
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An admin attacker could exploit this vulnerability to read files from the system outside of the intended directories via PHP filter chain and also can have a low-availability impact on the service. Exploitation of this issue does not require user interaction and scope is changed.
Improper Input Validation
Adobe Commerce <2.4.7-p2 Improper Access Control Bypass (CVE-2024-45118)
CVE-2024-45118
6.5 - Medium
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have high impact on integrity. Exploitation of this issue does not require user interaction.
Authorization
Adobe Commerce SSRF via Admin URL Fetch (2.4.7p2)
CVE-2024-45119
4.9 - Medium
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
SSRF
Adobe Commerce Improper Auth (2.4.7-p2) Privilege Escalation
CVE-2024-45115
9.8 - Critical
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.
authentification
Adobe Commerce <2.4.8 XSS via crafted links triggers code
CVE-2024-45116
8.1 - High
- October 10, 2024
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code. If an admin attacker can trick a user into clicking a specially crafted link or submitting a form, malicious scripts may be executed within the context of the victim's browser and have high impact on confidentiality and integrity. Exploitation of this issue requires user interaction.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Adobe Magento or by Adobe? Click the Watch button to subscribe.
