161 matches found
CVE-2022-24086
CVE-2022-24086 affects Adobe Commerce and Magento Open Source via an improper input validation vulnerability during checkout, allowing arbitrary code execution without user interaction. Affected: Adobe Commerce 2.4.3-p1 and earlier, 2.3.7-p2 and earlier. Evidence from multiple advisories confirms...
CVE-2025-54236
CVE-2025-54236 affects Adobe Commerce and Magento Open Source: Improper Input Validation could allow an attacker to take over customer sessions (high confidentiality/integrity impact) with network-level, no-interaction exploit. Affected: Adobe Commerce 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12,...
CVE-2024-34102
CVE-2024-34102 is an XXE vulnerability in Adobe Commerce/Magento Open Source that allows remote code execution. The issue affects Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier, via improper restriction of XML external entity references. Exploitation can occur without use...
CVE-2025-24434
Adobe Commerce (Magento) is affected by an Incorrect/Improper Authorization vulnerability (CVE-2025-24434) impacting versions including 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The issue allows privilege escalation and session takeover without user interaction. Root caus...
CVE-2024-20758
Adobe Commerce (Magento) vulnerable versions: 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier suffer an Improper Input Validation flaw that can lead to arbitrary code execution on the underlying filesystem. Exploitation does not require user interaction, but the attack complexity is high. A...
CVE-2020-8818
CVE-2020-8818 affects the CardGate Payments plugin for Magento 2 (up to version 2.0.30). The underlying issue is lack of origin authentication in the IPN callback processing function (Controller/Payment/Callback.php), enabling an attacker to remotely replace critical plugin settings (merchant ID,...
CVE-2025-24406
CVE-2025-24406 concerns Adobe Commerce; multiple historical releases (2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier) are affected by an improper pathname limitation vulnerability (Path Traversal). An unauthenticated attacker could bypass a security feature and modify files sto...
CVE-2024-39397
Adobe Commerce (Magento) is affected by CVE-2024-39397: Unrestricted Upload of File with Dangerous Type that could lead to arbitrary code execution. Affected versions include 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The issue arises from uploading a dangerous file that is then executed...
CVE-2023-38218
CVE-2023-38218 affects Adobe Commerce/Magento Open Source/Community Edition: versions 2.4.4-p5 and earlier up to 2.4.7-beta1 (and earlier) are vulnerable to Incorrect Authorization via the V1/customers/me endpoint, enabling an authenticated attacker to cause information exposure and privilege esc...
CVE-2024-34104
Adobe Commerce (Magento Open Source) versions affected by CVE-2024-34104 include 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. The issue is described as Improper Authorization that could bypass security features, allowing unauthorized access with confidentiality and integrity impact. Exploitat...
CVE-2023-29290
CVE-2023-29290 affects Adobe Commerce versions 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier. The vulnerability is an Incorrect Authorization issue that could bypass a security feature and enable bypass of a minor functionality without user interaction. The CVE has a Medium ba...
CVE-2023-29297
CVE-2023-29297 affects Adobe Commerce versions 2.4.6 and earlier (including 2.4.5-p2 and 2.4.4-p3) with an Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation doe...
CVE-2024-39406
Adobe Commerce/Open Source Magento Path Traversal (CVE-2024-39406) affects versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The issue is an Improper Limitation of a Pathname to a Restricted Directory, enabling an attacker to read arbitrary files outside the restricted path without use...
CVE-2024-34111
CVE-2024-34111 is a Server-Side Request Forgery (SSRF) affecting Adobe Commerce/Magento Open Source versions up to 2.4.7 and earlier (e.g., 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier). The issue allows a low-privilege, authenticated attacker to cause arbitrary file system reads by injecting ...
CVE-2024-34109
CVE-2024-34109 affects Adobe Commerce/Magento Open Source; affected versions are 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. It is an Improper Input Validation vulnerability that could enable arbitrary code execution in the context of the current user. Exploitation does not require user inte...
CVE-2024-39399
CVE-2024-39399 affects Adobe Commerce/Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. Description: an improper limitation of a pathname to a restricted directory enables path traversal, allowing a low-privileged attacker to read arbitrary files outside the restric...
CVE-2024-34110
CVE-2024-34110 affects Adobe Commerce and Magento Open Source versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. It is an Unrestricted Upload of File with Dangerous Type vulnerability that could enable arbitrary code execution . A high-privilege attacker can upload a malicious file and hav...
CVE-2024-34105
CVE-2024-34105 concerns Adobe Commerce/Magento Open Source versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. The issue is a stored Cross-Site Scripting (XSS) in order form fields that an admin attacker can abuse to inject malicious scripts, which may execute in a victim’s browser when loa...
CVE-2024-39407
CVE-2024-39407 affects Adobe Commerce (Magento) versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The issue is an Improper Authorization vulnerability that can bypass security features, allowing a low-privileged attacker to modify minor information without user interaction. The availab...
CVE-2024-45119
CVE-2024-45119 affects Adobe Commerce (Magento) versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier, exposing a server-side request forgery (SSRF) that can lead to arbitrary file system reads. An admin-privileged, authenticated attacker can induce the application to make arbitrary HTTP r...
CVE-2023-29295
Adobe Commerce CVE-2023-29295 describes an Incorrect Authorization vulnerability affecting 2.4.6 and earlier (including 2.4.5-p2, 2.4.4-p3) that could let a low-privilege attacker bypass a security feature without user interaction. The issue stems from an authorization flaw in the Create Quote fl...
CVE-2024-45116
CVE-2024-45116 is an XSS flaw in Adobe Commerce (Magento Open Source) affecting versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. An attacker can lure an admin or user to click a crafted link or submit a form, causing arbitrary script execution in the victim’s browser with high impact...
CVE-2023-29292
CVE-2023-29292 affects Adobe Commerce (Magento) variants, including 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier. The issue is a Server-Side Request Forgery (SSRF) that lets an admin-privileged, authenticated attacker force the application to make arbitrary URL requests, pote...
CVE-2023-38249
CVE-2023-38249 affects Adobe Commerce/Magento core components prior to versions listed (e.g., 2.4.7-beta1 and earlier; 2.4.6-p2 and earlier; 2.4.5-p4 and earlier; 2.4.4-p5 and earlier) with an SQL Injection vulnerability due to improper neutralization of special elements in an SQL command. The is...
CVE-2024-45127
CVE-2024-45127 is cited for Adobe Commerce (Magento) in multiple documents as a stored Cross-Site Scripting (XSS) vulnerability. Affected versions include 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. The vulnerability allows an admin attacker to inject malicious scripts into vulnerable fo...
CVE-2024-45117
CVE-2024-45117 affects Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. The vulnerability is an Improper Input Validation that could allow an admin attacker to read files outside of permitted directories via the PHP filter chain, with a low-availability impact on the s...
CVE-2025-47110
CVE-2025-47110 is a stored XSS vulnerability in Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier. The issue allows a high-privileged attacker to inject malicious scripts into vulnerable form fields, with JavaScript execution in users’ browsers when visiting the...
CVE-2025-24438
Summary (validated from connected documents): CVE-2025-24438 affects Adobe Commerce and Magento variants, specifically Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. It is a stored Cross-Site Scripting (XSS) vulnerability that could allow a low-privileg...
CVE-2023-38220
Adobe Commerce / Magento Open Source versions 2.4.7-beta1 and earlier (including 2.4.6-p2, 2.4.5-p4, 2.4.4-p5 and earlier) are affected by an Improper Authorization vulnerability that can bypass security features to access unauthorized data, with exploitation not requiring user interaction. Conne...
CVE-2024-39400
Adobe Commerce (Magento) DOM-based XSS (CVE-2024-39400) affects versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The root cause is a DOM-based XSS lack of proper filtering/escaping of user-supplied data, allowing an admin attacker to inject and execute arbitrary JavaScript in the cont...
CVE-2025-24410
Adobe Commerce (Magento) stores XSS in forms across versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The underlying issue allows low-privilege attackers to inject malicious scripts, potentially leading to session takeover and compromising confidentiality and integrity. ...
CVE-2025-43585
Adobe Commerce (Magento) CVE-2025-43585 affects multiple 2.x releases (2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier). The issue is an Improper Authorization vulnerability that can bypass security features, granting unauthorized access with a limited confidentiality impact but high...
CVE-2025-24437
CVE-2025-24437 affects Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier. Description: Incorrect Authorization could allow a low-privileged attacker to view or modify select information without user interaction, constituting a security feature bypass. CVSSv...
CVE-2023-26367
CVE-2023-26367 affects Adobe Commerce/Magento (Magento Open Source) and Magento Commerce. The issue is an Improper Input Validation in the product bulk import logic that can allow an authenticated admin user to read arbitrary files from the file system. The vulnerability arises from error-based f...
CVE-2024-39418
Adobe Commerce/CMS: CVE-2024-39418 is an Improper Authorization flaw (CWE-285) affecting 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. The issue allows a low-privileged attacker to bypass security and view/edit low-sensitivity data without user interaction. The Nessus adapter references APS...
CVE-2023-29289
Adobe Commerce and Magento are affected by CVE-2023-29289 (XML Injection) in versions 2.4.6 and earlier, 2.4.5-p2 and earlier, and 2.4.4-p3 and earlier. The issue enables a low-privilege attacker to trigger a crafted script that bypasses a security feature, with exploitation not requiring user in...
CVE-2024-45124
CVE-2024-45124 affects Adobe Commerce (2.4.x: 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier) with an Improper Access Control vulnerability that could bypass security features and impact integrity at a low level. Exploitation does not require user interaction. The Connected documents corrobo...
CVE-2023-38221
CVE-2023-38221 concerns Adobe Commerce/Magento with an SQL Injection in versions up to 2.4.7-beta1 and earlier. The root cause is improper neutralization of special elements in an SQL command. The impact is potential arbitrary code execution by an attacker with admin privileges (no user interacti...
CVE-2024-45130
Summary: CVE-2024-45130 affects Adobe Commerce/Magento Open Source and Adobe Commerce B2B products in multiple documents, with an Improper Access Control vulnerability that can enable a security feature bypass. The affected versions include Adobe Commerce 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 a...
CVE-2023-38250
CVE-2023-38250 affects Adobe Commerce (Magento) platforms: versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier, 2.4.4-p5 and earlier are vulnerable to SQL Injection that enables arbitrary code execution when exploited by an admin-privileged authenticated attacker. The iss...
CVE-2024-39414
CVE-2024-39414 affects Adobe Commerce/Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. Root cause: Improper Authorization that allows a low-privileged attacker to bypass security controls and disclose minor information without user interaction. Exploitation is netw...
CVE-2024-45121
CVE-2024-45121 affects Adobe Commerce (Magento) versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier. It is an Improper Access Control (CWE-284) vulnerability that could allow a low-privileged attacker to bypass security measures, with a low impact on integrity and no required user intera...
CVE-2024-39419
Adobe Commerce (Magento) is affected by CVE-2024-39419: an Improper Authorization vulnerability that allows a low-privileged attacker to bypass security measures and modify minor information without user interaction. Affected versions include 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier. Th...
CVE-2025-24412
CVE-2025-24412 affects Adobe Commerce and Magento Open Source, with stored XSS in vulnerable form fields across multiple 2.4.x releases (e.g., 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier). The underlying issue is a stored XSS that an attacker with low privileges can abuse to...
CVE-2025-24414
CVE-2025-24414 affects Adobe Commerce prior to some 2.4.x releases (2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier). It is a stored Cross-Site Scripting (XSS) vulnerability that a low-privileged attacker can exploit via vulnerable form fields to inject JavaScript, potentially e...
CVE-2023-38219
CVE-2023-38219 describes a stored XSS in Adobe Commerce/Magento Open Source prior to versions affected in the description. The root cause is insufficient filtering/escaping of user-supplied data, with the payload stored in an admin area and executed in a victim’s browser when visiting vulnerable ...
CVE-2024-20759
CVE-2024-20759 affects Adobe Commerce (Magento) Open/Commerce platforms: versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier. The issue is a stored Cross‑Site Scripting (XSS) vulnerability in vulnerable form fields that could be exploited by a high‑privileged attacker to inject malicio...
CVE-2023-38251
Adobe Commerce is affected by an Uncontrolled Resource Consumption vulnerability (CVE-2023-38251) that can cause a minor denial-of-service without user interaction. Affected: Adobe Commerce versions up to 2.4.7-beta1, 2.4.6-p2, 2.4.5-p4, and 2.4.4-p5 (and earlier). The root cause is Uncontrolled ...
CVE-2024-34103
CVE-2024-34103 affects Adobe Commerce/Magento Open Source: versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier; described as Improper Authentication leading to privilege escalation. Exploitation requires no user interaction but has high attack complexity. Connected sources reference an accou...
CVE-2023-22248
CVE-2023-22248 affects Adobe Commerce 2.4.x (2.4.6 and earlier, 2.4.5-p2, 2.4.4-p3 and earlier). It is an Incorrect Authorization vulnerability that could bypass a security feature and leak another user’s data. Exploitation does not require user interaction. Documents note that Adobe has released...