184 matches found
CVE-2022-24086
CVE-2022-24086 affects Adobe Commerce and Magento Open Source via an improper input validation vulnerability during checkout, allowing arbitrary code execution without user interaction. Affected: Adobe Commerce 2.4.3-p1 and earlier, 2.3.7-p2 and earlier. Evidence from multiple advisories confirms...
CVE-2022-24093
Summary: CVE-2022-24093 affects Adobe Commerce and Magento Open Source, with an improper input validation vulnerability that could enable post-authentication arbitrary code execution. Affected versions (per sources): Adobe Commerce 2.4.3-p1 and earlier; 2.3.7-p2 and earlier (and related 2.x lines...
CVE-2025-54236
CVE-2025-54236 affects Adobe Commerce and Magento Open Source: Improper Input Validation could allow an attacker to take over customer sessions (high confidentiality/integrity impact) with network-level, no-interaction exploit. Affected: Adobe Commerce 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12,...
CVE-2024-34102
CVE-2024-34102 is an XXE vulnerability in Adobe Commerce/Magento Open Source that allows remote code execution. The issue affects Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier, via improper restriction of XML external entity references. Exploitation can occur without use...
CVE-2025-24434
Adobe Commerce (Magento) is affected by an Incorrect/Improper Authorization vulnerability (CVE-2025-24434) impacting versions including 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The issue allows privilege escalation and session takeover without user interaction. Root caus...
CVE-2023-22247
Adobe Commerce (Magento) XML Injection vulnerability CVE-2023-22247 affects 2.4.4-p2 and earlier, and 2.4.5-p1 and earlier. An unauthenticated attacker can force the application to make arbitrary requests by injecting URLs, potentially enabling arbitrary file system read. Impact is high for confi...
CVE-2024-20758
Adobe Commerce (Magento) vulnerable versions: 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier suffer an Improper Input Validation flaw that can lead to arbitrary code execution on the underlying filesystem. Exploitation does not require user interaction, but the attack complexity is high. A...
CVE-2024-20720
Adobe Commerce (Magento) OS Command Injection (CVE-2024-20720) affects 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier. The issue stems from improper neutralization of special elements used in an OS command, enabling arbitrary code execution. Exploitation is possible over the network without user intera...
CVE-2022-34258
Adobe Commerce and Magento Open Source are affected by a stored XSS vulnerability in versions 2.4.3-p2 and earlier, 2.3.7-p3 and earlier, and 2.4.4 and earlier. The issue can be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields, with malicious Jav...
CVE-2022-34257
Summary: CVE-2022-34257 refers to a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce affecting versions 2.4.3-p2 and earlier, 2.3.7-p3 and earlier, and 2.4.4 and earlier. The issue allows an attacker to inject malicious scripts into vulnerable form fields, with JavaScript execute...
CVE-2023-22249
Adobe Commerce (Magento) stores a Cross-Site Scripting (XSS) vulnerability affecting versions 2.4.4-p2 and earlier and 2.4.5-p1 and earlier. The issue involves vulnerable form fields that can inject malicious JavaScript and execute in a user’s browser. The CVSS vector indicates a high-privileges ...
CVE-2025-24406
CVE-2025-24406 concerns Adobe Commerce; multiple historical releases (2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier) are affected by an improper pathname limitation vulnerability (Path Traversal). An unauthenticated attacker could bypass a security feature and modify files sto...
CVE-2022-35698
The CVE-2022-35698 entry concerns a Stored Cross-Site Scripting vulnerability in Adobe Commerce and Magento Open Source, affecting Adobe Commerce 2.4.4-p1 and earlier and 2.4.5 and earlier. The issue can allow post-authentication arbitrary code execution, with exploitation described as not requir...
CVE-2024-39397
Adobe Commerce (Magento) is affected by CVE-2024-39397: Unrestricted Upload of File with Dangerous Type that could lead to arbitrary code execution. Affected versions include 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The issue arises from uploading a dangerous file that is then executed...
CVE-2022-34259
CVE-2022-34259 affects Adobe Commerce (Magento) versions 2.4.3-p2 and earlier, 2.3.7-p3 and earlier, and 2.4.4 and earlier. The issue is described as an improper access control that could bypass security features and impact the availability of a user’s minor feature, with exploitation not requiri...
CVE-2022-35689
Adobe Commerce and Magento Open Source are affected by CVE-2022-35689: an Improper Access Control flaw in Adobe Commerce versions 2.4.4-p1 and earlier, and 2.4.5 and earlier, could bypass security features and affect availability of a user feature. Exploitation is possible without user interactio...
CVE-2024-34104
Adobe Commerce (Magento Open Source) versions affected by CVE-2024-34104 include 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. The issue is described as Improper Authorization that could bypass security features, allowing unauthorized access with confidentiality and integrity impact. Exploitat...
CVE-2023-29290
CVE-2023-29290 affects Adobe Commerce versions 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier. The vulnerability is an Incorrect Authorization issue that could bypass a security feature and enable bypass of a minor functionality without user interaction. The CVE has a Medium ba...
CVE-2023-38218
CVE-2023-38218 affects Adobe Commerce/Magento Open Source/Community Edition: versions 2.4.4-p5 and earlier up to 2.4.7-beta1 (and earlier) are vulnerable to Incorrect Authorization via the V1/customers/me endpoint, enabling an authenticated attacker to cause information exposure and privilege esc...
CVE-2023-29297
CVE-2023-29297 affects Adobe Commerce versions 2.4.6 and earlier (including 2.4.5-p2 and 2.4.4-p3) with an Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation doe...
CVE-2024-34111
CVE-2024-34111 is a Server-Side Request Forgery (SSRF) affecting Adobe Commerce/Magento Open Source versions up to 2.4.7 and earlier (e.g., 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier). The issue allows a low-privilege, authenticated attacker to cause arbitrary file system reads by injecting ...
CVE-2024-20719
CVE-2024-20719 is a stored XSS vulnerability in Adobe Commerce (Magento) affecting versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier. The issue allows an authenticated admin to inject malicious scripts that run in the victim’s admin pages, potentially enabling elevation to admin access. Root caus...
CVE-2024-34109
CVE-2024-34109 affects Adobe Commerce/Magento Open Source; affected versions are 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. It is an Improper Input Validation vulnerability that could enable arbitrary code execution in the context of the current user. Exploitation does not require user inte...
CVE-2024-39406
Adobe Commerce/Open Source Magento Path Traversal (CVE-2024-39406) affects versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The issue is an Improper Limitation of a Pathname to a Restricted Directory, enabling an attacker to read arbitrary files outside the restricted path without use...
CVE-2023-38208
CVE-2023-38208 affects Adobe Commerce and Magento: OS Command Injection due to improper neutralization in admin-privileged context. Affected are Adobe Commerce 2.4.6-p1 and earlier, 2.4.5-p3 and earlier, 2.4.4-p4 and earlier. The vulnerability allows arbitrary code execution without user interact...
CVE-2021-39864
CVE-2021-39864 is a CSRF vulnerability in Adobe Commerce / Magento Open Source via a Wishlist Share Link. Affected: Adobe Commerce versions 2.4.2-p2 and earlier, 2.4.3 and earlier, 2.3.7p1 and earlier. Impact: unauthenticated attacker could cause unauthorized additions to a customer’s cart withou...
CVE-2024-34110
CVE-2024-34110 affects Adobe Commerce and Magento Open Source versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. It is an Unrestricted Upload of File with Dangerous Type vulnerability that could enable arbitrary code execution . A high-privilege attacker can upload a malicious file and hav...
CVE-2024-39399
CVE-2024-39399 affects Adobe Commerce/Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. Description: an improper limitation of a pathname to a restricted directory enables path traversal, allowing a low-privileged attacker to read arbitrary files outside the restric...
CVE-2024-34105
CVE-2024-34105 concerns Adobe Commerce/Magento Open Source versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. The issue is a stored Cross-Site Scripting (XSS) in order form fields that an admin attacker can abuse to inject malicious scripts, which may execute in a victim’s browser when loa...
CVE-2024-20717
CVE-2024-20717 corresponds to a stored XSS vulnerability in Adobe Commerce/Magento Open Source, affecting versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier. The issue stems from Mage_Adminhtml_Block_System_Config_Form_Field_File not escaping the filename in certain conditions, allowing low-privil...
CVE-2024-39407
CVE-2024-39407 affects Adobe Commerce (Magento) versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The issue is an Improper Authorization vulnerability that can bypass security features, allowing a low-privileged attacker to modify minor information without user interaction. The availab...
CVE-2023-29295
Adobe Commerce CVE-2023-29295 describes an Incorrect Authorization vulnerability affecting 2.4.6 and earlier (including 2.4.5-p2, 2.4.4-p3) that could let a low-privilege attacker bypass a security feature without user interaction. The issue stems from an authorization flaw in the Create Quote fl...
CVE-2024-45116
CVE-2024-45116 is an XSS flaw in Adobe Commerce (Magento Open Source) affecting versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. An attacker can lure an admin or user to click a crafted link or submit a form, causing arbitrary script execution in the victim’s browser with high impact...
CVE-2024-20716
CVE-2024-20716 affects Adobe Commerce Open Source and Magento: versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier suffer an Uncontrolled Resource Consumption vulnerability, enabling a high-privileged, non-interactive attacker to exhaust resources and cause denial-of-service. Root cause is uncontro...
CVE-2024-45119
CVE-2024-45119 affects Adobe Commerce (Magento) versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier, exposing a server-side request forgery (SSRF) that can lead to arbitrary file system reads. An admin-privileged, authenticated attacker can induce the application to make arbitrary HTTP r...
CVE-2022-34253
Adobe Commerce/Magento Open Source instances using Widgets Module versions 2.4.3-p2 and earlier, 2.3.7-p3 and earlier, or 2.4.4 and earlier are affected by an XML Injection vulnerability. An attacker with admin privileges can trigger a crafted script to achieve remote code execution without user ...
CVE-2024-20718
Adobe Commerce (Magento Open Source) versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a CSRF vulnerability that can bypass security features and cause the victim to perform unintended actions. The issue requires user interaction and arises from a CSRF flaw in the product’s reques...
CVE-2023-38249
CVE-2023-38249 affects Adobe Commerce/Magento core components prior to versions listed (e.g., 2.4.7-beta1 and earlier; 2.4.6-p2 and earlier; 2.4.5-p4 and earlier; 2.4.4-p5 and earlier) with an SQL Injection vulnerability due to improper neutralization of special elements in an SQL command. The is...
CVE-2024-45127
CVE-2024-45127 is cited for Adobe Commerce (Magento) in multiple documents as a stored Cross-Site Scripting (XSS) vulnerability. Affected versions include 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. The vulnerability allows an admin attacker to inject malicious scripts into vulnerable fo...
CVE-2023-29292
CVE-2023-29292 affects Adobe Commerce (Magento) variants, including 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier. The issue is a Server-Side Request Forgery (SSRF) that lets an admin-privileged, authenticated attacker force the application to make arbitrary URL requests, pote...
CVE-2024-45117
CVE-2024-45117 affects Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. The vulnerability is an Improper Input Validation that could allow an admin attacker to read files outside of permitted directories via the PHP filter chain, with a low-availability impact on the s...
CVE-2023-38220
Adobe Commerce / Magento Open Source versions 2.4.7-beta1 and earlier (including 2.4.6-p2, 2.4.5-p4, 2.4.4-p5 and earlier) are affected by an Improper Authorization vulnerability that can bypass security features to access unauthorized data, with exploitation not requiring user interaction. Conne...
CVE-2025-24410
Adobe Commerce (Magento) stores XSS in forms across versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The underlying issue allows low-privilege attackers to inject malicious scripts, potentially leading to session takeover and compromising confidentiality and integrity. ...
CVE-2025-24438
Summary (validated from connected documents): CVE-2025-24438 affects Adobe Commerce and Magento variants, specifically Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. It is a stored Cross-Site Scripting (XSS) vulnerability that could allow a low-privileg...
CVE-2024-39400
Adobe Commerce (Magento) DOM-based XSS (CVE-2024-39400) affects versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The root cause is a DOM-based XSS lack of proper filtering/escaping of user-supplied data, allowing an admin attacker to inject and execute arbitrary JavaScript in the cont...
CVE-2023-26367
CVE-2023-26367 affects Adobe Commerce/Magento (Magento Open Source) and Magento Commerce. The issue is an Improper Input Validation in the product bulk import logic that can allow an authenticated admin user to read arbitrary files from the file system. The vulnerability arises from error-based f...
CVE-2025-47110
CVE-2025-47110 is a stored XSS vulnerability in Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier. The issue allows a high-privileged attacker to inject malicious scripts into vulnerable form fields, with JavaScript execution in users’ browsers when visiting the...
CVE-2023-22250
Adobe Commerce Open Source/Commerce (Magento) suffers an Improper Access Control vulnerability (CVE-2023-22250) affecting 2.4.4-p2 and earlier and 2.4.5-p1 and earlier. The issue could allow a security feature bypass and impact availability of a user’s minor feature without user interaction. CVSS...
CVE-2025-43585
Adobe Commerce (Magento) CVE-2025-43585 affects multiple 2.x releases (2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier). The issue is an Improper Authorization vulnerability that can bypass security features, granting unauthorized access with a limited confidentiality impact but high...
CVE-2025-24437
CVE-2025-24437 affects Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier. Description: Incorrect Authorization could allow a low-privileged attacker to view or modify select information without user interaction, constituting a security feature bypass. CVSSv...