Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 1 of 18
CVE-2024-34102P1CRITICALKEVPoC≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34102 [CRITICAL] CWE-611 Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit thi
ghsaosv
CVE-2022-24086P1CRITICALKEVPoC≥ 2.3.3-p1, < 2.3.7-p3≥ 2.4.0, < 2.4.3-p22022-02-17
CVE-2022-24086 [CRITICAL] CWE-20 Magento improper input validation vulnerability
Magento improper input validation vulnerability
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.
ghsaosv
CVE-2025-54236P1CRITICALKEVPoC≥ 0, ≤ 2.4.5-p14≥ 2.4.6-p1, ≤ 2.4.6-p12+3 more2025-09-09
CVE-2025-54236 [CRITICAL] CWE-20 Magento Community Edition Improper Input Validation vulnerability
Magento Community Edition Improper Input Validation vulnerability
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high
ghsaosv
CVE-2019-7139P1CRITICALExploitedPoC≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7139 [CRITICAL] CWE-89 Magento 2 Community Edition SQLi Vulnerability
Magento 2 Community Edition SQLi Vulnerability
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
ghsaosv
CVE-2024-20720P2HIGHExploited≥ 2.4.6-p1, < 2.4.6-p4≥ 2.4.5-p1, < 2.4.5-p6+1 more2024-02-15
CVE-2024-20720 [HIGH] CWE-78 Magento Open Source allows OS Command Injection
Magento Open Source allows OS Command Injection
Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-24434P2CRITICAL≥ 2.4.8-beta1, < 2.4.8-beta2≥ 2.4.7-beta1, < 2.4.7-p4+3 more2025-02-11
CVE-2025-24434 [CRITICAL] CWE-285 Improper Authorization vulnerability in Magento and Adobe Commerce
Improper Authorization vulnerability in Magento and Adobe Commerce
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not re
ghsaosv
CVE-2020-3716P2CRITICAL≥ 2.2.0, < 2.2.11≥ 2.3.0, < 2.3.42022-05-24
CVE-2020-3716 [CRITICAL] CWE-502 Magento deserialization vulnerability
Magento deserialization vulnerability
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2021-36020P2HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36020 [HIGH] CWE-91 Magento XML Injection vulnerability in the 'City' field
Magento XML Injection vulnerability in the 'City' field
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
ghsaosv
CVE-2022-34256P2HIGH≥ 2.3.0, < 2.3.7-p4≥ 2.4.4, < 2.4.5+1 more2022-08-17
CVE-2022-34256 [HIGH] CWE-285 Magento Improper Authorization vulnerability
Magento Improper Authorization vulnerability
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2020-3718P2CRITICAL≥ 2.3.0, < 2.3.4≥ 0, < 2.2.112022-05-24
CVE-2020-3718 [CRITICAL] Magento security bypass vulnerability
Magento security bypass vulnerability
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9631P2CRITICAL≥ 2.3.0, < 2.3.4-p2≥ 0, ≤ 2.2.112022-05-24
CVE-2020-9631 [CRITICAL] Magento security mitigation bypass vulnerability
Magento security mitigation bypass vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9632P2CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9632 [CRITICAL] Magento security mitigation bypass vulnerability
Magento security mitigation bypass vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9578P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9578 [CRITICAL] CWE-78 Magento command injection vulnerability
Magento command injection vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9576P3CRITICAL≥ 2.3.0, < 2.3.4-p2≥ 0, < 2.2.122022-05-24
CVE-2020-9576 [CRITICAL] CWE-78 Magento command injection vulnerability
Magento command injection vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9583P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9583 [CRITICAL] CWE-78 Magento command injection vulnerability
Magento command injection vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9582P3CRITICAL≥ 2.3.0, < 2.3.4-p2≥ 0, < 2.2.122022-05-24
CVE-2020-9582 [CRITICAL] CWE-78 Magento command injection vulnerability
Magento command injection vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2019-8159P3HIGH≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22022-05-24
CVE-2019-8159 [HIGH] CWE-78 Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection.
As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides
ghsaosv
CVE-2019-8144P2CRITICAL≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8144 [CRITICAL] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can insert a malicious payload through PageBuilder template methods.
ghsaosv
CVE-2020-9580P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9580 [CRITICAL] Magento Security mitigation bypass vulnerability
Magento Security mitigation bypass vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2020-9579P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9579 [CRITICAL] Magento Security mitigation bypass vulnerability
Magento Security mitigation bypass vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
1 / 18Next →