cbcvebase.

Adobe Commerce vulnerabilities

184 known vulnerabilities affecting adobe/commerce.

Total CVEs
184
CISA KEV
3
actively exploited
Public exploits
3
Exploited in wild
3
Severity breakdown
CRITICAL11HIGH66MEDIUM94LOW13

Vulnerabilities

Page 2 of 10
CVE-2026-21289HIGHCVSS 7.5fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21289 [HIGH] CWE-863 CVE-2026-21289: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized view access of data. Exploitation of this issue do
nvd
CVE-2026-21360MEDIUMCVSS 6.8fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21360 [MEDIUM] CWE-22 CVE-2026-21360: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access unauthorized files
nvd
CVE-2026-21285MEDIUMCVSS 4.3fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21285 [MEDIUM] CWE-863 CVE-2026-21285: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Explo
nvd
CVE-2026-21292MEDIUMCVSS 5.4fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21292 [MEDIUM] CWE-79 CVE-2026-21292: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victi
nvd
CVE-2026-21310MEDIUMCVSS 5.3fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21310 [MEDIUM] CWE-20 CVE-2026-21310: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, with limited impact to integrity. Exploitation of this issue does not require user interaction.
nvd
CVE-2026-21293MEDIUMCVSS 5.5fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21293 [MEDIUM] CWE-918 CVE-2026-21293: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and access unauthorized resources. Expl
nvd
CVE-2026-21359MEDIUMCVSS 4.7fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21359 [MEDIUM] CWE-863 CVE-2026-21359: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have limited impact to the integrity and availability of data. The
nvd
CVE-2026-21297MEDIUMCVSS 4.3fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21297 [MEDIUM] CWE-863 CVE-2026-21297: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access to a feature. Explo
nvd
CVE-2026-21294MEDIUMCVSS 5.5fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21294 [MEDIUM] CWE-918 CVE-2026-21294: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate server-side requests and bypass security controls. Exploitat
nvd
CVE-2026-21291MEDIUMCVSS 4.8fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21291 [MEDIUM] CWE-79 CVE-2026-21291: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Exploitation of this issue requires user interaction in that a victim must b
nvd
CVE-2026-21296MEDIUMCVSS 4.3fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21296 [MEDIUM] CWE-863 CVE-2026-21296: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Explo
nvd
CVE-2026-21282MEDIUMCVSS 5.3fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21282 [MEDIUM] CWE-20 CVE-2026-21282: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing limited impact to application availability. Exploi
nvd
CVE-2026-21286MEDIUMCVSS 5.3fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21286 [MEDIUM] CWE-863 CVE-2026-21286: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized view access of data. Exploitation of thi
nvd
CVE-2026-21295LOWCVSS 3.1fixed in 2.4.4v2.4.4+5 more2026-03-11
CVE-2026-21295 [LOW] CWE-601 CVE-2026-21295: Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlie Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.
nvd
CVE-2025-54264HIGHCVSS 8.1v2.4.4v2.4.5+4 more2025-10-14
CVE-2025-54264 [HIGH] CWE-79 CVE-2025-54264: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlie Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s
nvd
CVE-2025-54263HIGHCVSS 8.1v2.4.4v2.4.5+4 more2025-10-14
CVE-2025-54263 [HIGH] CWE-863 CVE-2025-54263: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlie Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction.
nvd
CVE-2025-54266MEDIUMCVSS 4.8v2.4.4v2.4.5+4 more2025-10-14
CVE-2025-54266 [MEDIUM] CWE-79 CVE-2025-54266: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlie Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse
nvd
CVE-2025-54267MEDIUMCVSS 6.5v2.4.4v2.4.5+4 more2025-10-14
CVE-2025-54267 [MEDIUM] CWE-863 CVE-2025-54267: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlie Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitatio
nvd
CVE-2025-54265MEDIUMCVSS 5.9v2.4.4v2.4.5+4 more2025-10-14
CVE-2025-54265 [MEDIUM] CWE-863 CVE-2025-54265: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlie Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this
nvd
CVE-2025-54236CRITICALCVSS 9.1KEVPoCv2.4.4v2.4.5+4 more2025-09-09
CVE-2025-54236 [CRITICAL] CWE-20 CVE-2025-54236: Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlie Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction
nvd
← Previous2 / 10Next →