Magento Magento e-commerce software

  1. Vendors
  2. Magento

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Magento product.

RSS Feeds for Magento security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Magento products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Magento Sorted by Most Security Vulnerabilities since 2018

Magento212 vulnerabilities

Magento Upward Connector1 vulnerability

Magento Upward Php1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Magento. Magento did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 0 0.00
2023 3 7.20
2022 9 7.58
2021 24 5.25
2020 38 6.23
2019 137 9.80
2018 1 6.50

It may take a day or so for new Magento vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Magento Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2021-36021 Sep 06, 2023
Magento 2.4.2 (2.4.2) RCE via CMS Scheduled Update Improper Validation Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability to achieve remote code execution on the system.
Magento
CVE-2021-36023 Sep 06, 2023
Magento XML Injection in Widgets Update Layout RCE (2.4.2) Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
Magento
CVE-2021-36036 Sep 06, 2023
Magento 2.4.2 Media Gallery Upload Improper Access Delete .htaccess Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.
Magento
CVE-2022-42344 Oct 20, 2022
Adobe Commerce 2.4.4 and earlier: Incorrect Auth Info Exposure & PrivEsc Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Incorrect Authorization vulnerability. An authenticated attacker can exploit this vulnerability to achieve information exposure and privilege escalation.
Magento
CVE-2022-34258 Aug 16, 2022
Adobe Commerce <=2.4.4 Stored XSS in admin form fields Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
Magento
CVE-2022-34253 Aug 16, 2022
Adobe Commerce XML Injection RCE in Widgets Module 2.4.3-p2 Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction.
Magento
CVE-2022-34256 Aug 16, 2022
Adobe Commerce 2.4.3p2 IMPAUTH Priv Escalation Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.
Magento
CVE-2022-34259 Aug 16, 2022
Adobe Commerce <2.4.4 Improper Access Control Bypass Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
Magento
CVE-2022-34255 Aug 16, 2022
Adobe Commerce Before 2.4.3-p2: Improper Access Control (Privilege Escalation) Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction.
Magento
CVE-2022-34257 Aug 16, 2022
Adobe Commerce 2.4.3p2 XSS via vulnerable form fields Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victims browser when they browse to the page containing the vulnerable field.
Magento
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.