Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
3
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 1 of 18
CVE-2025-54263HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54263 [HIGH] CWE-863 Magento provides incorrect authorization through a security feature bypass
Magento provides incorrect authorization through a security feature bypass
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require
ghsaosv
CVE-2025-54264HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54264 [HIGH] CWE-79 Magento vulnerable to stored Cross-Site Scripting (XSS)
Magento vulnerable to stored Cross-Site Scripting (XSS)
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page c
ghsaosv
CVE-2025-54267MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54267 [MEDIUM] CWE-863 Magento vulnerable to privilege escalation due to incorrect authorization
Magento vulnerable to privilege escalation due to incorrect authorization
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity im
ghsaosv
CVE-2025-54266MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54266 [MEDIUM] CWE-79 Magento vulnerable to stored Cross-Site Scripting (XSS)
Magento vulnerable to stored Cross-Site Scripting (XSS)
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page
ghsaosv
CVE-2025-54265MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54265 [MEDIUM] CWE-863 Magento allows incorrect authorization
Magento allows incorrect authorization
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-54236CRITICALKEVPoC≥ 0, ≤ 2.4.5-p14≥ 2.4.6-p1, ≤ 2.4.6-p12+3 more2025-09-09
CVE-2025-54236 [CRITICAL] CWE-20 Magento Community Edition Improper Input Validation vulnerability
Magento Community Edition Improper Input Validation vulnerability
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high
ghsaosv
CVE-2025-49555HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49555 [HIGH] CWE-352 Magento Cross-Site Request Forgery (CSRF) vulnerability
Magento Cross-Site Request Forgery (CSRF) vulnerability
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially all
ghsaosv
CVE-2025-49556HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49556 [HIGH] CWE-863 Magento has incorrect authorization issue that leads to arbitrary file system read
Magento has incorrect authorization issue that leads to arbitrary file system read
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read ac
ghsaosv
CVE-2025-49554HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49554 [HIGH] CWE-20 Magento vulnerable to denial of service
Magento vulnerable to denial of service
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require us
ghsaosv
CVE-2025-49557HIGH≥ 0, < 2.4.4-p15≥ 2.4.5-p1, < 2.4.5-p14+2 more2025-08-12
CVE-2025-49557 [HIGH] CWE-79 Magento Cross-site Scripting vulnerability
Magento Cross-site Scripting vulnerability
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data.
ghsaosv
CVE-2025-49559MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49559 [MEDIUM] CWE-22 Magento vulnerable to path traversal
Magento vulnerable to path traversal
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-49558MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49558 [MEDIUM] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a res
ghsaosv
CVE-2025-49550MEDIUM≥ 2.4.7-beta1, < 2.4.7-p6≥ 2.4.6-p1, < 2.4.6-p11+1 more2025-06-26
CVE-2025-49550 [MEDIUM] CWE-863 Magento Security feature bypass
Magento Security feature bypass
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction.
ghsaosv
CVE-2025-49549LOW≥ 2.4.7-beta1, < 2.4.7-p6≥ 2.4.6-p1, < 2.4.6-p11+1 more2025-06-26
CVE-2025-49549 [LOW] CWE-863 Magento Authenticated Security feature bypass
Magento Authenticated Security feature bypass
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-47110CRITICAL≥ 2.4.8-beta1, < 2.4.8-p1≥ 2.4.7-beta1, < 2.4.7-p6+2 more2025-06-10
CVE-2025-47110 [CRITICAL] CWE-79 Magneto contains stored XSS vulnerability
Magneto contains stored XSS vulnerability
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
ghsaosv
CVE-2025-43585HIGH≥ 2.4.7-beta1, < 2.4.7-p6≥ 2.4.6-p1, < 2.4.6-p11+1 more2025-06-10
CVE-2025-43585 [HIGH] CWE-285 Magento Improper Authorization leading to security feature bypass
Magento Improper Authorization leading to security feature bypass
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a
ghsaosv
CVE-2025-27206MEDIUM≥ 2.4.7-beta1, < 2.4.7-p6≥ 2.4.6-p1, < 2.4.6-p11+1 more2025-06-10
CVE-2025-27206 [MEDIUM] CWE-284 Magento Improper Access Control leads to security feature bypass
Magento Improper Access Control leads to security feature bypass
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not requir
ghsaosv
CVE-2025-27191MEDIUM≥ 2.4.7-beta1, < 2.4.7-p5≥ 2.4.6-p1, < 2.4.6-p10+3 more2025-04-08
CVE-2025-27191 [MEDIUM] CWE-284 Magento Improper Access Control leads to Security feature bypass
Magento Improper Access Control leads to Security feature bypass
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require u
ghsaosv
CVE-2025-27188MEDIUM≥ 0, < 2.4.4-p13≥ 2.4.5-p1, < 2.4.5-p12+3 more2025-04-08
CVE-2025-27188 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability
Magento Improper Authorization vulnerability
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-27190MEDIUM≥ 2.4.7-beta1, < 2.4.7-p5≥ 2.4.6-p1, < 2.4.6-p10+3 more2025-04-08
CVE-2025-27190 [MEDIUM] CWE-284 Magento Improper Access Control leads to Security feature bypass
Magento Improper Access Control leads to Security feature bypass
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require u
ghsaosv
1 / 18Next →