CVE-2025-54264 — Cross-site Scripting in Adobe Commerce

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 76.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Community-edition Adobe Commerce Magento Project-community-edition +3 more

Timeline

PublishedOct 14

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NExploitability: 1.7 | Impact: 5.8

Affected Packages6 packages

▶CVEListV5adobe/adobe_commerce2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15

▶NVDadobe/commerce6 versions+5

▶NVDadobe/commerce_b2b6 versions+5

▶NVDadobe/magento4 versions+3

▶Packagistmagento/community-edition2.4.9-alpha1 — 2.4.9-alpha3+3

🔴Vulnerability Details

GHSA

Magento vulnerable to stored Cross-Site Scripting (XSS)↗2025-10-14

▶

OSV

Magento vulnerable to stored Cross-Site Scripting (XSS)↗2025-10-14

▶

CVEList

Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)↗2025-10-14

▶