CVE-2025-49559

CWE-22 — Path Traversal4 documents4 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 50.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Adobe Commerce Adobe Commerce B2B Adobe Magento +3 more

Timeline

PublishedAug 12

Description

Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶NVDadobe/commerce< 2.4.4+5

▶NVDadobe/commerce_b2b< 1.3.3+6

▶CVEListV5adobe/adobe_commerce2.4.4-p14

▶NVDadobe/magento< 2.4.5+5

▶Packagistmagento/community-edition2.4.9-alpha1 — 2.4.9-alpha2+4

🔴Vulnerability Details

CVEList

Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)↗2025-08-12

▶

OSV

Magento vulnerable to path traversal↗2025-08-12

▶

GHSA

Magento vulnerable to path traversal↗2025-08-12

▶