cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 1 of 18
CVE-2024-34102P1CRITICALKEVPoC≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34102 [CRITICAL] CWE-611 Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit thi
ghsaosv
CVE-2022-24086P1CRITICALKEVPoC≥ 2.3.3-p1, < 2.3.7-p3≥ 2.4.0, < 2.4.3-p22022-02-17
CVE-2022-24086 [CRITICAL] CWE-20 Magento improper input validation vulnerability Magento improper input validation vulnerability Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
ghsaosv
CVE-2025-54236P1CRITICALKEVPoC≥ 0, ≤ 2.4.5-p14≥ 2.4.6-p1, ≤ 2.4.6-p12+3 more2025-09-09
CVE-2025-54236 [CRITICAL] CWE-20 Magento Community Edition Improper Input Validation vulnerability Magento Community Edition Improper Input Validation vulnerability Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high
ghsaosv
CVE-2019-7139P1CRITICALExploitedPoC≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7139 [CRITICAL] CWE-89 Magento 2 Community Edition SQLi Vulnerability Magento 2 Community Edition SQLi Vulnerability An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
ghsaosv
CVE-2024-20720P2HIGHExploited≥ 2.4.6-p1, < 2.4.6-p4≥ 2.4.5-p1, < 2.4.5-p6+1 more2024-02-15
CVE-2024-20720 [HIGH] CWE-78 Magento Open Source allows OS Command Injection Magento Open Source allows OS Command Injection Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-24434P2CRITICAL≥ 2.4.8-beta1, < 2.4.8-beta2≥ 2.4.7-beta1, < 2.4.7-p4+3 more2025-02-11
CVE-2025-24434 [CRITICAL] CWE-285 Improper Authorization vulnerability in Magento and Adobe Commerce Improper Authorization vulnerability in Magento and Adobe Commerce Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not re
ghsaosv
CVE-2020-3716P2CRITICAL≥ 2.2.0, < 2.2.11≥ 2.3.0, < 2.3.42022-05-24
CVE-2020-3716 [CRITICAL] CWE-502 Magento deserialization vulnerability Magento deserialization vulnerability Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2021-36020P2HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36020 [HIGH] CWE-91 Magento XML Injection vulnerability in the 'City' field Magento XML Injection vulnerability in the 'City' field Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
ghsaosv
CVE-2022-34256P2HIGH≥ 2.3.0, < 2.3.7-p4≥ 2.4.4, < 2.4.5+1 more2022-08-17
CVE-2022-34256 [HIGH] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2020-3718P2CRITICAL≥ 2.3.0, < 2.3.4≥ 0, < 2.2.112022-05-24
CVE-2020-3718 [CRITICAL] Magento security bypass vulnerability Magento security bypass vulnerability Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9631P2CRITICAL≥ 2.3.0, < 2.3.4-p2≥ 0, ≤ 2.2.112022-05-24
CVE-2020-9631 [CRITICAL] Magento security mitigation bypass vulnerability Magento security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9632P2CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9632 [CRITICAL] Magento security mitigation bypass vulnerability Magento security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9578P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9578 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9576P3CRITICAL≥ 2.3.0, < 2.3.4-p2≥ 0, < 2.2.122022-05-24
CVE-2020-9576 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9583P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9583 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9582P3CRITICAL≥ 2.3.0, < 2.3.4-p2≥ 0, < 2.2.122022-05-24
CVE-2020-9582 [CRITICAL] CWE-78 Magento command injection vulnerability Magento command injection vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2019-8159P3HIGH≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22022-05-24
CVE-2019-8159 [HIGH] CWE-78 Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides
ghsaosv
CVE-2019-8144P2CRITICAL≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8144 [CRITICAL] Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods.
ghsaosv
CVE-2020-9580P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9580 [CRITICAL] Magento Security mitigation bypass vulnerability Magento Security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9579P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9579 [CRITICAL] Magento Security mitigation bypass vulnerability Magento Security mitigation bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
1 / 18Next →
Magento Community-Edition vulnerabilities | cvebase