Adobe Commerce vulnerabilities

169 known vulnerabilities affecting adobe/commerce.

Total CVEs

169

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL11HIGH57MEDIUM89LOW12

Vulnerabilities

Page 3 of 9

CVE-2025-27192LOWCVSS 2.7fixed in 2.4.4v2.4.4+4 more2025-04-08

CVE-2025-27192 [LOW] CWE-522 CVE-2025-27192: Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affect Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential inf

nvd

CVE-2025-24434CRITICALCVSS 9.1v2.4.4v2.4.5+3 more2025-02-11

CVE-2025-24434 [CRITICAL] CWE-863 CVE-2025-24434: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user intera

nvd

CVE-2025-24416HIGHCVSS 8.7fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24416 [HIGH] CWE-79 CVE-2025-24416: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24417HIGHCVSS 8.7fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24417 [HIGH] CWE-79 CVE-2025-24417: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24412HIGHCVSS 8.7fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24412 [HIGH] CWE-79 CVE-2025-24412: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24406HIGHCVSS 7.5fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24406 [HIGH] CWE-22 CVE-2025-24406: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the r

nvd

CVE-2025-24413HIGHCVSS 8.7fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24413 [HIGH] CWE-79 CVE-2025-24413: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24414HIGHCVSS 8.7fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24414 [HIGH] CWE-79 CVE-2025-24414: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24409HIGHCVSS 8.2fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24409 [HIGH] CWE-863 CVE-2025-24409: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affec Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both a High impact to confidentiality and L

nvd

CVE-2025-24415HIGHCVSS 8.7fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24415 [HIGH] CWE-79 CVE-2025-24415: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24438HIGHCVSS 8.7v2.4.4v2.4.5+3 more2025-02-11

CVE-2025-24438 [HIGH] CWE-79 CVE-2025-24438: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24411HIGHCVSS 8.1fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24411 [HIGH] CWE-284 CVE-2025-24411: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access affecting Confidentiality and Integrity.

nvd

CVE-2025-24410HIGHCVSS 8.7fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24410 [HIGH] CWE-79 CVE-2025-24410: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page con

nvd

CVE-2025-24437MEDIUMCVSS 5.4v2.4.4v2.4.5+3 more2025-02-11

CVE-2025-24437 [MEDIUM] CWE-863 CVE-2025-24437: Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affect Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view or modify select information. Exploitation of this issue does not require user interactio

nvd

CVE-2025-24435MEDIUMCVSS 4.3v2.4.4v2.4.5+3 more2025-02-11

CVE-2025-24435 [MEDIUM] CWE-284 CVE-2025-24435: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to modify limited fields. Exploitation of th

nvd

CVE-2025-24428MEDIUMCVSS 5.4fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24428 [MEDIUM] CWE-79 CVE-2025-24428: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page c

nvd

CVE-2025-24421MEDIUMCVSS 4.3fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24421 [MEDIUM] CWE-863 CVE-2025-24421: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to read select data. Exploitation of this issue does not require user interaction

nvd

CVE-2025-24436MEDIUMCVSS 4.3v2.4.4v2.4.5+3 more2025-02-11

CVE-2025-24436 [MEDIUM] CWE-863 CVE-2025-24436: Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affect Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view select information. Exploitation of this issue does not require user interaction.

nvd

CVE-2025-24425MEDIUMCVSS 5.3fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24425 [MEDIUM] CWE-840 CVE-2025-24425: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Business Logic Error vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to circumvent intended security mechanisms by manipulating the logic of the application's operations causing limite

nvd

CVE-2025-24427MEDIUMCVSS 6.5fixed in 2.4.4v2.4.4+4 more2025-02-11

CVE-2025-24427 [MEDIUM] CWE-284 CVE-2025-24427: Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affect Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue does

nvd

← Previous3 / 9Next →