cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 10 of 18
CVE-2021-36039P3MEDIUM≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36039 [MEDIUM] CWE-863 Magento discloses sensitive information Magento discloses sensitive information Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.
ghsaosv
CVE-2024-20759P3MEDIUM≥ 2.4.7-beta1, < 2.4.7≥ 2.4.6-p1, < 2.4.6-p5+2 more2024-04-10
CVE-2024-20759 [MEDIUM] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulne
ghsaosv
CVE-2019-8232P3MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8232 [MEDIUM] CWE-362 Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.
ghsaosv
CVE-2024-39400P3HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39400 [HIGH] CWE-79 Magento DOM-based Cross-Site Scripting (XSS) vulnerability Magento DOM-based Cross-Site Scripting (XSS) vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an admin attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. Exploitation of this issue requires user interaction, such as convi
ghsaosv
CVE-2023-26366P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-beta2≥ 2.4.6-p1, < 2.4.6-p3+2 more2023-10-13
CVE-2023-26366 [MEDIUM] CWE-918 Magento Open Source allows Server-Side Request Forgery (SSRF) Magento Open Source allows Server-Side Request Forgery (SSRF) Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via inject
ghsaosv
CVE-2025-49558P3MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49558 [MEDIUM] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a res
ghsaosv
CVE-2021-21026P4MEDIUM≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.22022-05-24
CVE-2021-21026 [MEDIUM] CWE-285 Magento improper authorization vulnerability in the integrations module Magento improper authorization vulnerability in the integrations module Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required
ghsaosv
CVE-2020-9692P4MEDIUM≥ 0, < 2.3.5-p22022-05-24
CVE-2020-9692 [MEDIUM] CWE-863 Magento security mitigation bypass vulnerability Magento security mitigation bypass vulnerability Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2019-8133P4MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22019-11-12
CVE-2019-8133 [MEDIUM] Bypass of sitemp access restrictions Bypass of sitemp access restrictions A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://de
ghsaosv
CVE-2019-7904P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7904 [MEDIUM] Magento 2 Community Edition Insufficient Access Controls Magento 2 Community Edition Insufficient Access Controls Insufficient enforcement of user access controls in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could enable a low-privileged user to make unauthorized environment configuration changes.
ghsaosv
CVE-2024-20718P4MEDIUM≥ 2.4.6-p1, < 2.4.6-p4≥ 2.4.5-p1, < 2.4.5-p6+1 more2024-02-15
CVE-2024-20718 [MEDIUM] CWE-352 Magento Open Source allows Cross-Site Request Forgery (CSRF) Magento Open Source allows Cross-Site Request Forgery (CSRF) Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to trick a victim into performing actions they did not intend to do, which could be used to bypass security measures and
ghsaosv
CVE-2021-21031P4MEDIUM≥ 2.4.0, < 2.4.1-p1≥ 0, < 2.3.62022-05-24
CVE-2021-21031 [MEDIUM] CWE-613 Magento Insufficient Session Expiration Magento Insufficient Session Expiration Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
ghsaosv
CVE-2021-39864P4MEDIUM≥ 2.4.2-p1, ≤ 2.4.2-p2≥ 0, < 2.3.7-p22022-05-24
CVE-2021-39864 [MEDIUM] CWE-352 Magento Open Source allows Cross-Site Request Forgery (CSRF) Magento Open Source allows Cross-Site Request Forgery (CSRF) Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to a customer's cart by an unauthenticated attacker. Access to the admin console is not required f
ghsaosv
CVE-2019-7888P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7888 [MEDIUM] CWE-200 Magento 2 Community Edition Information Disclosure Magento 2 Community Edition Information Disclosure An information disclosure vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to create email templates could leak sensitive data via a malicious email template.
ghsaosv
CVE-2019-7872P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7872 [MEDIUM] CWE-285 Magento Insufficient authorization check when adding users to company accounts Magento Insufficient authorization check when adding users to company accounts An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to insufficient authorizations checks. This can be abused by a user with admin privileges to add users to company accounts or modify existing user details.
ghsaosv
CVE-2020-9689P4MEDIUM≥ 0, < 2.3.5-p22022-05-24
CVE-2020-9689 [MEDIUM] CWE-22 Magento path traversal vulnerability Magento path traversal vulnerability Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2021-21032P4MEDIUM≥ 2.4.0, < 2.4.1-p1≥ 0, < 2.3.62022-05-24
CVE-2021-21032 [MEDIUM] CWE-613 Magento Insufficient Session Expiration Magento Insufficient Session Expiration Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.
ghsaosv
CVE-2024-45131P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45131 [MEDIUM] CWE-285 Magento Open Source Improper Authorization vulnerability Magento Open Source Improper Authorization vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality and integrity. Exploitation of this iss
ghsaosv
CVE-2025-24437P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24437 [MEDIUM] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain elevated privileges. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2021-21020P4MEDIUM≥ 0, < 2.3.6≥ 2.4.0, < 2.4.1-p12022-05-24
CVE-2021-21020 [MEDIUM] CWE-284 Magento Improper Access Control Magento Improper Access Control Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources.
ghsaosv
Magento Community-Edition vulnerabilities | cvebase