CVE-2025-54266 — Cross-site Scripting in Adobe Commerce

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 82.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Community-edition Adobe Commerce Magento Project-community-edition +3 more

Timeline

PublishedOct 14

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must browse to the page containin…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages6 packages

▶CVEListV5adobe/adobe_commerce2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15

▶NVDadobe/commerce6 versions+5

▶NVDadobe/commerce_b2b6 versions+5

▶NVDadobe/magento4 versions+3

▶Packagistmagento/community-edition2.4.9-alpha1 — 2.4.9-alpha3+3

🔴Vulnerability Details

CVEList

Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)↗2025-10-14

▶

OSV

Magento vulnerable to stored Cross-Site Scripting (XSS)↗2025-10-14

▶

GHSA

Magento vulnerable to stored Cross-Site Scripting (XSS)↗2025-10-14

▶

🕵️Threat Intelligence

Wiz

CVE-2023-54266 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶