Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 11 of 18
CVE-2020-24408P4MEDIUM≥ 0, < 2.4.12022-05-24
CVE-2020-24408 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability
Magento 2 Community Edition XSS Vulnerability
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by a persistent XSS vulnerability that allows users to upload malicious JavaScript via the file upload component. This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.
ghsaosv
CVE-2024-34106P4MEDIUM≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34106 [MEDIUM] CWE-863 Magento Open Source Incorrect Authorization vulnerability
Magento Open Source Incorrect Authorization vulnerability
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to gain unauthorized access or perform actions with the privileges of another user. Exploitation of this issue does not require u
ghsaosv
CVE-2025-49559P4MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49559 [MEDIUM] CWE-22 Magento vulnerable to path traversal
Magento vulnerable to path traversal
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-45128P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45128 [MEDIUM] CWE-285 Magento Open Source Improper Authorization vulnerability
Magento Open Source Improper Authorization vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity and availability. Exploitation of this issue
ghsaosv
CVE-2025-27191P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p5≥ 2.4.6-p1, < 2.4.6-p10+3 more2025-04-08
CVE-2025-27191 [MEDIUM] CWE-284 Magento Improper Access Control leads to Security feature bypass
Magento Improper Access Control leads to Security feature bypass
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require u
ghsaosv
CVE-2025-27190P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p5≥ 2.4.6-p1, < 2.4.6-p10+3 more2025-04-08
CVE-2025-27190 [MEDIUM] CWE-284 Magento Improper Access Control leads to Security feature bypass
Magento Improper Access Control leads to Security feature bypass
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require u
ghsaosv
CVE-2025-27206P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p6≥ 2.4.6-p1, < 2.4.6-p11+1 more2025-06-10
CVE-2025-27206 [MEDIUM] CWE-284 Magento Improper Access Control leads to security feature bypass
Magento Improper Access Control leads to security feature bypass
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not requir
ghsaosv
CVE-2021-21022P4MEDIUM≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.1-p12022-05-24
CVE-2021-21022 [MEDIUM] CWE-285 Magento Insecure Direct Object Reference (IDOR) in the product module
Magento Insecure Direct Object Reference (IDOR) in the product module
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.
ghsaosv
CVE-2020-24402P4MEDIUM≥ 0, < 2.3.6≥ 2.4.0, < 2.4.12022-05-24
CVE-2020-24402 [MEDIUM] CWE-276 Magento incorrect permissions vulnerability in the Integrations component
Magento incorrect permissions vulnerability in the Integrations component
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.
ghsaosv
CVE-2021-28585P4MEDIUM≥ 2.4.0, < 2.4.2-p1≥ 0, < 2.3.72022-05-24
CVE-2021-28585 [MEDIUM] CWE-20 Magento Improper input validation vulnerability
Magento Improper input validation vulnerability
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails.
ghsaosv
CVE-2022-34259P4MEDIUM≥ 2.3.0, < 2.3.7-p4≥ 2.4.4, < 2.4.5+1 more2022-08-17
CVE-2022-34259 [MEDIUM] CWE-284 Magento Improper Access Control vulnerability
Magento Improper Access Control vulnerability
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2022-35689P4MEDIUM≥ 2.4.4-p1, < 2.4.4-p2≥ 2.4.3-p1, ≤ 2.4.3-p32022-10-15
CVE-2022-35689 [MEDIUM] CWE-284 Magento Open Source allows Improper Access Control
Magento Open Source allows Improper Access Control
Adobe Commerce versions 2.4.3-p3 (and earlier), 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-45124P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45124 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user intera
ghsaosv
CVE-2023-29290P4MEDIUM≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29290 [MEDIUM] CWE-353 Magento Open Source allows Incorrect Authorization
Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-39418P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39418 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability
Magento Improper Authorization vulnerability
Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures to view and edit low-sensitivity information. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2020-3717P4MEDIUM≥ 2.2.0, < 2.2.11≥ 2.3.0, < 2.3.42022-05-24
CVE-2020-3717 [MEDIUM] CWE-22 Magento Path Traversal
Magento Path Traversal
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a path traversal vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv
CVE-2021-36026P4MEDIUM≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36026 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability in the customer address upload feature
Magento stored cross-site scripting vulnerability in the customer address upload feature
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Mali
ghsaosv
CVE-2023-29291P4MEDIUM≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29291 [MEDIUM] CWE-918 Magento Open Source allows Server-Side Request Forgery (SSRF)
Magento Open Source allows Server-Side Request Forgery (SSRF)
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploi
ghsaosv
CVE-2023-22250P4MEDIUM≥ 2.4.4-p1, < 2.4.4-p3≥ 2.4.5-p1, < 2.4.5-p22023-03-27
CVE-2023-22250 [MEDIUM] CWE-284 Magento Open Source allows Improper Access Control
Magento Open Source allows Improper Access Control
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2023-29292P4MEDIUM≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29292 [MEDIUM] CWE-918 Magento Open Source allows Server-Side Request Forgery (SSRF)
Magento Open Source allows Server-Side Request Forgery (SSRF)
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploi
ghsaosv