Vulners
Lucene search
CVE-2025-54236
🗓️ 09 Sep 2025 13:20:17Reported by adobeType 
cve🔗 web.nvd.nist.gov📰️ 30 Media mentions👁 483 Views🌐 WEB
| Reporter | Title | Published | Views | Family All 41 |
|---|---|---|---|---|
 | Exploit for Improper Input Validation in Adobe Commerce | 19 Mar 202614:44 | – | githubexploit |
| Exploit for Improper Input Validation in Adobe Commerce | 24 May 202616:08 | – | githubexploit |
| Exploit for Improper Input Validation in Adobe Commerce | 6 Nov 202509:38 | – | githubexploit |
| Exploit for Improper Input Validation in Adobe Commerce | 30 Dec 202506:38 | – | githubexploit |
 | Adobe Commerce/Magento Open Source Improper Input Validation (APSB25-88) | 23 Sep 202500:00 | – | nessus |
| Adobe Commerce B2B Improper Input Validation (APSB25-88) | 23 Sep 202500:00 | – | nessus |
| Adobe Commerce / Magento Insecure Deserialization (SessionReaper) | 24 Oct 202500:00 | – | nessus |
 | The Grim SessionReaper (CVE-2025-54236) Comes to Collect for Halloween | 27 Oct 202505:00 | – | akamaiblog |
 | APSB25-88 : Security update available for Adobe Commerce | 9 Sep 202500:00 | – | adobe |
 | CVE-2025-54236 | 8 Sep 202516:59 | – | circl |
10
Node
OROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROR
Node
OROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROR
Node
OROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROROR
[
{
"defaultStatus": "affected",
"product": "Adobe Commerce",
"vendor": "Adobe",
"versions": [
{
"lessThanOrEqual": "2.4.4-p15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
]| Parameter | Position | Path | Description | CWE |
|---|---|---|---|---|
| paymentMethod | request body | rest/default/V1/guest-carts/{cartId}/order | REST call used to trigger deserialization via Magento vulnerable path (PUT to guest cart order). | CWE-20 |
| paymentMethod.paymentData.context.urlBuilder.session.sessionConfig.savePath | request body | rest/default/V1/guest-carts/{cartId}/order | REST call used to trigger deserialization via Magento vulnerable path (PUT to guest cart order). | CWE-20 |
| cartId | request body | rest/default/V1/guest-carts/{cartId}/order | REST call used to trigger deserialization via Magento vulnerable path (PUT to guest cart order). | CWE-20 |
| orderId | request body | rest/default/V1/guest-carts/{cartId}/order | REST call used to trigger deserialization via Magento vulnerable path (PUT to guest cart order). | CWE-20 |
| form_key | upload data | customer/address_file/upload | Multipart upload endpoint used to stage the malicious session file for deserialization. | CWE-20 |
| custom_attributes[country_id] | upload data | customer/address_file/upload | Multipart upload endpoint used to stage the malicious session file for deserialization. | CWE-20 |
| filename | upload data | customer/address_file/upload | Multipart upload endpoint used to stage the malicious session file for deserialization. | CWE-20 |
| boundary | upload data | customer/address_file/upload | Multipart upload endpoint used to stage the malicious session file for deserialization. | CWE-20 |
| <payload_post_param> | request body | pub/{exploitFilename} | Directly executes the payload by posting base64-encoded code to the dropped PHP file. | CWE-20 |
10
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 May 2026 22:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.19.1
EPSS0.96742
SSVC