Adobe Commerce 2.4.5 Patch 7
Approved changes feed: RSS · Atom
cpe:2.3:a:adobe:commerce:2.4.5:p7:*:*:*:*:*:*
part: a version: 2.4.5 update: p7
| Vendor | Adobe (fb293c1b-cab3-5565-9184-186e4ece530b) |
|---|---|
| Product | Commerce (86532610-8ce1-5faa-8e1c-d91f271a0546) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-34686 |
vulnerable | 2026-06-03 15:22:10.587513 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Published: 2026-05-12T19:50:32.687Z
Updated: 2026-05-13T15:37:30.478Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21361 |
vulnerable | 2026-06-03 15:15:49.946002 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.1)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Published: 2026-03-11T02:19:12.523Z
Updated: 2026-03-12T03:55:24.338Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21360 |
vulnerable | 2026-06-03 15:15:49.933271 |
Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
MEDIUM (6.8)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restricted path. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:11.666Z
Updated: 2026-03-11T13:48:52.987Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21359 |
vulnerable | 2026-06-03 15:15:49.910979 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.7)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:18.561Z
Updated: 2026-03-11T13:37:31.075Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21311 |
vulnerable | 2026-06-03 15:15:49.793647 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Published: 2026-03-11T02:19:09.962Z
Updated: 2026-03-12T03:55:25.017Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21310 |
vulnerable | 2026-06-03 15:15:49.782179 |
Adobe Commerce | Improper Input Validation (CWE-20)
MEDIUM (5.3)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, with limited impact to integrity. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:15.994Z
Updated: 2026-03-11T13:39:33.056Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21309 |
vulnerable | 2026-06-03 15:15:49.765103 |
Adobe Commerce | Incorrect Authorization (CWE-863)
HIGH (7.5)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:17.734Z
Updated: 2026-03-11T13:38:55.520Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21297 |
vulnerable | 2026-06-03 15:15:49.496602 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.3)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:19.528Z
Updated: 2026-03-11T13:36:59.330Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21296 |
vulnerable | 2026-06-03 15:15:49.484960 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.3)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:10.824Z
Updated: 2026-03-11T13:48:53.209Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21295 |
vulnerable | 2026-06-03 15:15:49.469736 |
Adobe Commerce | URL Redirection to Untrusted Site ('Open Redirect') (CWE-601)
LOW (3.1)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.
Published: 2026-03-11T02:19:08.980Z
Updated: 2026-03-11T13:47:36.829Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21294 |
vulnerable | 2026-06-03 15:15:49.455633 |
Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918)
MEDIUM (5.5)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and bypass security controls. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:21.376Z
Updated: 2026-03-11T13:35:19.290Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21293 |
vulnerable | 2026-06-03 15:15:49.435326 |
Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918)
MEDIUM (5.5)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and access unauthorized resources. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:24.047Z
Updated: 2026-03-11T13:33:40.576Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21292 |
vulnerable | 2026-06-03 15:15:49.426406 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
MEDIUM (5.4)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Published: 2026-03-11T02:19:16.829Z
Updated: 2026-03-11T13:38:08.402Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21291 |
vulnerable | 2026-06-03 15:15:49.412790 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
MEDIUM (4.8)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Published: 2026-03-11T02:19:24.994Z
Updated: 2026-03-11T13:33:13.844Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21290 |
vulnerable | 2026-06-03 15:15:49.398578 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Published: 2026-03-11T02:19:14.251Z
Updated: 2026-03-12T03:55:22.870Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21289 |
vulnerable | 2026-06-03 15:15:49.381750 |
Adobe Commerce | Incorrect Authorization (CWE-863)
HIGH (7.5)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:13.384Z
Updated: 2026-03-11T13:45:07.146Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21286 |
vulnerable | 2026-06-03 15:15:49.294141 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (5.3)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:22.237Z
Updated: 2026-03-11T13:34:41.685Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21285 |
vulnerable | 2026-06-03 15:15:49.282049 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.3)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:15.142Z
Updated: 2026-03-11T13:43:49.117Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21284 |
vulnerable | 2026-06-03 15:15:49.263709 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.1)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Published: 2026-03-11T02:19:20.459Z
Updated: 2026-03-12T03:55:22.193Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-21282 |
vulnerable | 2026-06-03 15:15:49.102012 |
Adobe Commerce | Improper Input Validation (CWE-20)
MEDIUM (5.3)
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing limited impact to application availability. Exploitation of this issue does not require user interaction.
Published: 2026-03-11T02:19:23.167Z
Updated: 2026-03-11T13:34:17.821Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-54267 |
vulnerable | 2026-06-03 15:04:55.555348 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (6.5)
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitation of this issue does not require user interaction.
Published: 2025-10-14T20:27:57.566Z
Updated: 2026-02-26T16:57:53.711Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-54266 |
vulnerable | 2026-06-03 15:04:55.545934 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
MEDIUM (4.8)
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
Published: 2025-10-14T20:27:56.763Z
Updated: 2025-10-15T14:55:26.614Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-54265 |
vulnerable | 2026-06-03 15:04:55.534076 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (5.9)
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction.
Published: 2025-10-14T20:27:54.411Z
Updated: 2026-04-28T02:22:39.747Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-54264 |
vulnerable | 2026-06-03 15:04:55.521293 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.1)
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
Published: 2025-10-14T20:27:53.635Z
Updated: 2026-02-26T16:57:54.374Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-54263 |
vulnerable | 2026-06-03 15:04:55.486846 |
Adobe Commerce | Incorrect Authorization (CWE-863)
HIGH (8.1)
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction.
Published: 2025-10-14T20:27:56.014Z
Updated: 2026-02-26T16:57:54.026Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-54236 |
vulnerable | 2026-06-03 15:04:55.304254 |
Adobe Commerce | Improper Input Validation (CWE-20)
CRITICAL (9.1)
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
Published: 2025-09-09T13:20:17.939Z
Updated: 2025-10-24T22:20:23.685Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49559 |
vulnerable | 2026-06-03 15:01:45.227907 |
Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
MEDIUM (5.3)
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.
Published: 2025-08-12T17:55:06.460Z
Updated: 2026-02-26T17:49:01.611Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49558 |
vulnerable | 2026-06-03 15:01:45.219548 |
Adobe Commerce | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
MEDIUM (5.9)
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a resource's state and its use, allowing unauthorized write access. Exploitation of this issue does not require user interaction.
Published: 2025-08-12T17:55:08.951Z
Updated: 2026-02-26T17:49:01.174Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49557 |
vulnerable | 2026-06-03 15:01:45.211394 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
Published: 2025-08-12T17:55:09.849Z
Updated: 2026-02-26T17:49:00.825Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49556 |
vulnerable | 2026-06-03 15:01:45.204413 |
Adobe Commerce | Incorrect Authorization (CWE-863)
HIGH (7.5)
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.
Published: 2025-08-12T17:55:11.081Z
Updated: 2025-08-13T20:14:11.184Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49555 |
vulnerable | 2026-06-03 15:01:45.194835 |
Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352)
HIGH (8.1)
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially allowing unauthorized access or modification of sensitive data. Exploitation of this issue requires user interaction in that a victim must visit a malicious website or click on a crafted link. Scope is changed.
Published: 2025-08-12T17:55:05.453Z
Updated: 2026-02-26T17:49:02.275Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49554 |
vulnerable | 2026-06-03 15:01:45.158123 |
Adobe Commerce | Improper Input Validation (CWE-20)
HIGH (7.5)
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require user interaction.
Published: 2025-08-12T17:55:07.283Z
Updated: 2025-08-13T20:14:23.568Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49550 |
vulnerable | 2026-06-03 15:01:45.126570 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.3)
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction.
Published: 2025-06-25T17:41:58.948Z
Updated: 2025-06-25T18:08:05.106Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49549 |
vulnerable | 2026-06-03 15:01:45.087545 |
Adobe Commerce | Incorrect Authorization (CWE-863)
LOW (2.7)
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue does not require user interaction.
Published: 2025-06-25T17:41:13.652Z
Updated: 2025-06-25T18:12:41.002Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-47110 |
vulnerable | 2026-06-03 15:01:28.345529 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.4)
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed to that of other high-privileged accounts, leading to a high impact on confidentiality, integrity, and availability.
Published: 2025-06-10T16:08:55.695Z
Updated: 2025-07-14T20:49:56.693Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-43586 |
vulnerable | 2026-06-03 15:01:17.129863 |
Adobe Commerce | Improper Access Control (CWE-284)
HIGH (8.1)
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized elevated access. Exploitation of this issue does not require user interaction.
Published: 2025-06-10T16:08:56.439Z
Updated: 2026-02-26T17:51:02.725Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-43585 |
vulnerable | 2026-06-03 15:01:17.067873 |
Adobe Commerce | Improper Authorization (CWE-285)
HIGH (8.2)
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.
Published: 2025-06-10T16:08:54.171Z
Updated: 2025-06-10T18:10:21.054Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-27206 |
vulnerable | 2026-06-03 15:00:11.828730 |
Adobe Commerce | Improper Access Control (CWE-284)
MEDIUM (5.3)
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.
Published: 2025-06-10T16:08:57.172Z
Updated: 2025-06-10T18:08:42.943Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-27192 |
vulnerable | 2026-06-03 15:00:11.757522 |
Adobe Commerce | Insufficiently Protected Credentials (CWE-522)
LOW (2.7)
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction.
Published: 2025-04-08T20:17:10.679Z
Updated: 2025-04-08T21:01:36.000Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-27191 |
vulnerable | 2026-06-03 15:00:11.750673 |
Adobe Commerce | Improper Access Control (CWE-284)
MEDIUM (5.3)
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
Published: 2025-04-08T20:17:11.466Z
Updated: 2025-04-08T21:01:35.799Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-27190 |
vulnerable | 2026-06-03 15:00:11.726498 |
Adobe Commerce | Improper Access Control (CWE-284)
MEDIUM (5.3)
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
Published: 2025-04-08T20:17:12.748Z
Updated: 2025-04-08T21:01:35.615Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-27188 |
vulnerable | 2026-06-03 15:00:11.669337 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
Published: 2025-04-08T20:17:09.891Z
Updated: 2025-05-01T16:10:36.954Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24438 |
vulnerable | 2026-06-03 14:59:55.927914 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:42.877Z
Updated: 2026-02-26T19:09:10.474Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24437 |
vulnerable | 2026-06-03 14:59:55.886780 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (5.4)
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view or modify select information. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:54.305Z
Updated: 2025-04-15T16:21:17.325Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24436 |
vulnerable | 2026-06-03 14:59:55.875792 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view select information. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:44.529Z
Updated: 2025-04-15T16:20:05.482Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24435 |
vulnerable | 2026-06-03 14:59:55.869750 |
Adobe Commerce | Improper Access Control (CWE-284)
MEDIUM (4.3)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to modify limited fields. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:31.405Z
Updated: 2025-02-27T20:38:04.345Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24434 |
vulnerable | 2026-06-03 14:59:55.860603 |
Adobe Commerce | Incorrect Authorization (CWE-863)
CRITICAL (9.1)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:53.501Z
Updated: 2026-02-26T19:09:08.047Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24432 |
vulnerable | 2026-06-03 14:59:55.854875 |
Adobe Commerce | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
LOW (3.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing rate limiting mechanisms. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:47.754Z
Updated: 2025-04-15T16:08:56.702Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24430 |
vulnerable | 2026-06-03 14:59:55.666943 |
Adobe Commerce | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
LOW (3.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing rate limiting mechanisms. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:46.142Z
Updated: 2025-04-15T16:04:34.802Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24429 |
vulnerable | 2026-06-03 14:59:55.661135 |
Adobe Commerce | Improper Access Control (CWE-284)
LOW (3.5)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass allowing read only access. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.
Published: 2025-02-11T17:37:45.344Z
Updated: 2025-04-15T15:56:54.003Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24428 |
vulnerable | 2026-06-03 14:59:55.655338 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
MEDIUM (5.4)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Published: 2025-02-11T17:37:33.816Z
Updated: 2025-02-27T20:38:17.483Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24427 |
vulnerable | 2026-06-03 14:59:55.649327 |
Adobe Commerce | Improper Access Control (CWE-284)
MEDIUM (6.5)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:35.413Z
Updated: 2025-04-16T19:26:43.805Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24425 |
vulnerable | 2026-06-03 14:59:55.642497 |
Adobe Commerce | Business Logic Errors (CWE-840)
MEDIUM (5.3)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Business Logic Error vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to circumvent intended security mechanisms by manipulating the logic of the application's operations causing limited data modification. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:37.917Z
Updated: 2025-02-27T20:38:16.282Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24421 |
vulnerable | 2026-06-03 14:59:55.632647 |
Adobe Commerce | Incorrect Authorization (CWE-863)
MEDIUM (4.3)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to read select data. Exploitation of this issue does not require user interaction
Published: 2025-02-11T17:37:37.036Z
Updated: 2025-04-16T19:26:19.966Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24417 |
vulnerable | 2026-06-03 14:59:55.621896 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:39.575Z
Updated: 2026-02-26T19:09:11.348Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24416 |
vulnerable | 2026-06-03 14:59:55.597209 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:50.979Z
Updated: 2026-02-26T19:09:09.364Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24415 |
vulnerable | 2026-06-03 14:59:55.591570 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:52.600Z
Updated: 2026-02-26T19:09:08.510Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24414 |
vulnerable | 2026-06-03 14:59:55.584883 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:55.122Z
Updated: 2026-02-26T19:09:07.609Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24413 |
vulnerable | 2026-06-03 14:59:55.579714 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:49.367Z
Updated: 2026-02-26T19:09:09.876Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24412 |
vulnerable | 2026-06-03 14:59:55.573171 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:36.216Z
Updated: 2026-02-26T19:09:11.638Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24411 |
vulnerable | 2026-06-03 14:59:55.566630 |
Adobe Commerce | Improper Access Control (CWE-284)
HIGH (8.1)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access affecting Confidentiality and Integrity. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:51.772Z
Updated: 2026-02-26T19:09:09.033Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24410 |
vulnerable | 2026-06-03 14:59:55.554487 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
HIGH (8.7)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
Published: 2025-02-11T17:37:33.017Z
Updated: 2026-02-26T19:09:12.134Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24409 |
vulnerable | 2026-06-03 14:59:55.548543 |
Adobe Commerce | Incorrect Authorization (CWE-863)
HIGH (8.2)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both a High impact to confidentiality and Low impact to integrity. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:38.725Z
Updated: 2025-03-17T21:02:36.064Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24408 |
vulnerable | 2026-06-03 14:59:55.542415 |
Adobe Commerce | Information Exposure (CWE-200)
MEDIUM (6.5)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Information Exposure vulnerability that could result in privilege escalation. A low-privileged attacker could gain unauthorized access to sensitive information. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:32.198Z
Updated: 2025-02-27T20:38:10.912Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-24406 |
vulnerable | 2026-06-03 14:59:55.485700 |
Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
HIGH (7.5)
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.
Published: 2025-02-11T17:37:40.430Z
Updated: 2025-03-17T20:51:05.033Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45149 |
vulnerable | 2026-06-03 14:56:48.974822 |
Adobe Commerce | Improper Access Control (CWE-284)
LOW (2.7)
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not require user interaction.
Published: 2024-10-10T09:57:50.452Z
Updated: 2024-12-12T17:38:26.517Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45148 |
vulnerable | 2026-06-03 14:56:48.972120 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45135 |
vulnerable | 2026-06-03 14:56:48.710045 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45134 |
vulnerable | 2026-06-03 14:56:48.704307 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45133 |
vulnerable | 2026-06-03 14:56:48.700383 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45132 |
vulnerable | 2026-06-03 14:56:48.691226 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45131 |
vulnerable | 2026-06-03 14:56:48.686953 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45130 |
vulnerable | 2026-06-03 14:56:48.682840 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45129 |
vulnerable | 2026-06-03 14:56:48.679009 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45128 |
vulnerable | 2026-06-03 14:56:48.674627 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45127 |
vulnerable | 2026-06-03 14:56:48.670568 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45125 |
vulnerable | 2026-06-03 14:56:48.665711 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45124 |
vulnerable | 2026-06-03 14:56:48.661805 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45123 |
vulnerable | 2026-06-03 14:56:48.657132 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45122 |
vulnerable | 2026-06-03 14:56:48.652668 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45121 |
vulnerable | 2026-06-03 14:56:48.648799 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45120 |
vulnerable | 2026-06-03 14:56:48.644737 |
Adobe Commerce | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
LOW (3.1)
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to alter a condition between the check and the use of a resource, having a low impact on integrity. Exploitation of this issue requires user interaction.
Published: 2024-10-10T09:57:56.691Z
Updated: 2024-12-12T17:36:42.455Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45119 |
vulnerable | 2026-06-03 14:56:48.641916 |
Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918)
MEDIUM (4.9)
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
Published: 2024-10-10T09:57:58.983Z
Updated: 2024-12-12T17:32:19.594Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45118 |
vulnerable | 2026-06-03 14:56:48.638669 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45117 |
vulnerable | 2026-06-03 14:56:48.635050 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45116 |
vulnerable | 2026-06-03 14:56:48.630904 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45115 |
vulnerable | 2026-06-03 14:56:48.597284 | db.gcve.eu returned HTTP 503. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39419 |
vulnerable | 2026-06-03 14:56:20.788351 |
A user without ship permissions can ship the orders
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:22.405Z
Updated: 2024-08-14T14:12:33.337Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39418 |
vulnerable | 2026-06-03 14:56:20.786261 |
Adobe Commerce | Improper Authorization (CWE-285)
MEDIUM (5.4)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures to view and edit low-sensitivity information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:20.916Z
Updated: 2024-09-17T11:07:31.253Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39417 |
vulnerable | 2026-06-03 14:56:20.783977 |
An unauthorized user can export the Shipping Report
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:17.890Z
Updated: 2024-08-14T14:13:22.932Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39416 |
vulnerable | 2026-06-03 14:56:20.781527 |
Unauthorized user can export Orders Sale Report
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:11.759Z
Updated: 2024-08-14T14:14:32.679Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39415 |
vulnerable | 2026-06-03 14:56:20.779370 |
An unauthorized user can export the Tax Sales Report
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:06.435Z
Updated: 2024-08-14T14:15:32.390Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39414 |
vulnerable | 2026-06-03 14:56:20.777486 |
Being able to import/export tax rates without proper privileges
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:10.986Z
Updated: 2024-08-14T14:14:39.487Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39413 |
vulnerable | 2026-06-03 14:56:20.775411 |
An unauthorized user can export the Invoiced Sales Report
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:20.153Z
Updated: 2024-08-14T14:13:00.375Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39412 |
vulnerable | 2026-06-03 14:56:20.773227 |
Adobe Commerce | Improper Authorization (CWE-285)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and perform a minor integrity change. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:10.222Z
Updated: 2024-09-16T12:27:45.851Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39411 |
vulnerable | 2026-06-03 14:56:20.771239 |
Adobe Commerce | Improper Authorization (CWE-285)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:12.517Z
Updated: 2024-09-17T11:07:07.544Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39410 |
vulnerable | 2026-06-03 14:56:20.769193 |
Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor integrity changes on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:17.152Z
Updated: 2024-09-17T11:07:19.690Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39409 |
vulnerable | 2026-06-03 14:56:20.767006 |
Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor integrity changes on behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.
Published: 2024-08-14T11:57:13.314Z
Updated: 2024-09-16T12:17:49.209Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39408 |
vulnerable | 2026-06-03 14:56:20.764912 |
Adobe Commerce | Cross-Site Request Forgery (CSRF) (CWE-352)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could allow an attacker to bypass security features and perform minor integrity changeson behalf of a user. The vulnerability could be exploited by tricking a victim into clicking a link or loading a page that submits a malicious request. Exploitation of this issue requires user interaction.
Published: 2024-08-14T11:57:18.628Z
Updated: 2024-09-16T12:14:16.301Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39407 |
vulnerable | 2026-06-03 14:56:20.762753 |
Adobe Commerce | Improper Authorization (CWE-285)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:16.360Z
Updated: 2024-09-17T11:06:24.011Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39406 |
vulnerable | 2026-06-03 14:56:20.760572 |
Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
MEDIUM (6.8)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An admin attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed.
Published: 2024-08-14T11:57:08.723Z
Updated: 2024-09-16T12:07:33.315Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39405 |
vulnerable | 2026-06-03 14:56:20.757899 |
Adobe Commerce | Improper Authorization (CWE-285)
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:05.644Z
Updated: 2024-09-17T11:06:05.847Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39404 |
vulnerable | 2026-06-03 14:56:20.755566 |
A user without Shop Policy Parameters section privilege can alter the shop policy parameters section
MEDIUM (4.3)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.
Published: 2024-08-14T11:57:07.181Z
Updated: 2024-08-14T14:15:23.536Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39403 |
vulnerable | 2026-06-03 14:56:20.753300 |
Stored XSS through Webhook module public key configuration
HIGH (7.6)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality impact is high due to the attacker being able to exfiltrate sensitive information.
Published: 2024-08-14T11:57:21.660Z
Updated: 2024-08-14T14:12:45.600Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39402 |
vulnerable | 2026-06-03 14:56:20.750823 |
Adobe Commerce | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
HIGH (8.4)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.
Published: 2024-08-14T11:57:09.458Z
Updated: 2024-09-17T11:05:39.188Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39401 |
vulnerable | 2026-06-03 14:56:20.748886 |
Adobe Commerce | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
HIGH (8.4)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.
Published: 2024-08-14T11:57:14.867Z
Updated: 2024-09-17T11:05:32.867Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39400 |
vulnerable | 2026-06-03 14:56:20.746741 |
DOM XSS through integrations can impact other admins
HIGH (8.1)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an admin attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. Exploitation of this issue requires user interaction, such as convincing a victim to click on a malicious link. Confidentiality and integrity impact is high as it affects other admin accounts.
Published: 2024-08-14T11:57:07.948Z
Updated: 2024-08-14T14:15:17.538Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39399 |
vulnerable | 2026-06-03 14:56:20.744414 |
[Paris] Path Traversal lead to local file read
HIGH (7.7)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A low-privileged attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed.
Published: 2024-08-14T11:57:19.382Z
Updated: 2024-08-14T14:13:07.190Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39398 |
vulnerable | 2026-06-03 14:56:20.742044 |
OTP 2FA can be bruteforced
HIGH (7.4)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to accounts. Exploitation of this issue does not require user interaction, but attack complexity is high.
Published: 2024-08-14T11:57:15.614Z
Updated: 2024-08-14T14:13:54.591Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39397 |
vulnerable | 2026-06-03 14:56:20.716809 |
Adobe Commerce | Unrestricted Upload of File with Dangerous Type (CWE-434)
CRITICAL (9)
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a malicious file which can then be executed on the server. Exploitation of this issue does not require user interaction, but attack complexity is high and scope is changed.
Published: 2024-08-14T11:57:14.067Z
Updated: 2024-09-16T12:49:11.103Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-34102 |
vulnerable | 2026-06-03 14:55:53.532802 |
XXE can expose crypt key and other secrets granting full admin access
CRITICAL (9.8)
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Published: 2024-06-13T09:04:56.093Z
Updated: 2025-10-21T22:56:22.223Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.