Adobe Commerce vulnerabilities

169 known vulnerabilities affecting adobe/commerce.

Total CVEs

169

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL11HIGH57MEDIUM89LOW12

Vulnerabilities

Page 1 of 9

CVE-2026-21284HIGHCVSS 8.1fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21284 [HIGH] CWE-79 CVE-2026-21284: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to

nvd

CVE-2026-21309HIGHCVSS 7.5fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21309 [HIGH] CWE-863 CVE-2026-21309: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue do

nvd

CVE-2026-21361HIGHCVSS 8.1fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21361 [HIGH] CWE-79 CVE-2026-21361: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vvulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse t

nvd

CVE-2026-21290HIGHCVSS 8.7fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21290 [HIGH] CWE-79 CVE-2026-21290: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to

nvd

CVE-2026-21311HIGHCVSS 8.0fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21311 [HIGH] CWE-79 CVE-2026-21311: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to

nvd

CVE-2026-21289HIGHCVSS 7.5fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21289 [HIGH] CWE-863 CVE-2026-21289: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue do

nvd

CVE-2026-21360MEDIUMCVSS 6.8fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21360 [MEDIUM] CWE-22 CVE-2026-21360: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access unauthorized files

nvd

CVE-2026-21285MEDIUMCVSS 4.3fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21285 [MEDIUM] CWE-863 CVE-2026-21285: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Explo

nvd

CVE-2026-21292MEDIUMCVSS 5.4fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21292 [MEDIUM] CWE-79 CVE-2026-21292: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victi

nvd

CVE-2026-21310MEDIUMCVSS 5.3fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21310 [MEDIUM] CWE-20 CVE-2026-21310: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, with limited impact to integrity. Exploitation of this issue does not require user interaction.

nvd

CVE-2026-21293MEDIUMCVSS 5.5fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21293 [MEDIUM] CWE-918 CVE-2026-21293: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and access unauthorized resources. Expl

nvd

CVE-2026-21359MEDIUMCVSS 4.7fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21359 [MEDIUM] CWE-863 CVE-2026-21359: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The

nvd

CVE-2026-21297MEDIUMCVSS 4.3fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21297 [MEDIUM] CWE-863 CVE-2026-21297: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Explo

nvd

CVE-2026-21294MEDIUMCVSS 5.5fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21294 [MEDIUM] CWE-918 CVE-2026-21294: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and bypass security controls. Exploitat

nvd

CVE-2026-21291MEDIUMCVSS 4.8fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21291 [MEDIUM] CWE-79 CVE-2026-21291: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must b

nvd

CVE-2026-21296MEDIUMCVSS 4.3fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21296 [MEDIUM] CWE-863 CVE-2026-21296: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Explo

nvd

CVE-2026-21282MEDIUMCVSS 5.3fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21282 [MEDIUM] CWE-20 CVE-2026-21282: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing limited impact to application availability. Exploi

nvd

CVE-2026-21286MEDIUMCVSS 5.3fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21286 [MEDIUM] CWE-863 CVE-2026-21286: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of thi

nvd

CVE-2026-21295LOWCVSS 3.1fixed in 2.4.4v2.4.4+5 more2026-03-11

CVE-2026-21295 [LOW] CWE-601 CVE-2026-21295: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.

nvd

CVE-2025-54264HIGHCVSS 8.1v2.4.4v2.4.5+4 more2025-10-14

CVE-2025-54264 [HIGH] CWE-79 CVE-2025-54264: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlie Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s

nvd

1 / 9Next →