cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 13 of 18
CVE-2020-3715P4MEDIUM≥ 2.3.0, < 2.3.4≥ 0, < 2.2.112022-05-24
CVE-2020-3715 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv
CVE-2020-3758P4MEDIUM≥ 2.3.0, < 2.3.4≥ 0, < 2.2.112022-05-24
CVE-2020-3758 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv
CVE-2019-7929P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7929 [MEDIUM] CWE-200 Magento 2 Community Edition Information Disclosure Magento 2 Community Edition Information Disclosure An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges may be able to view metadata of a trusted device used by another administrator via a crafted http request.
ghsaosv
CVE-2019-7898P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7898 [MEDIUM] CWE-20 Magento 2 Community Edition Information Disclosure Magento 2 Community Edition Information Disclosure Samples of disabled downloadable products are accessible in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 due to inadequate validation of user input.
ghsaosv
CVE-2019-7899P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7899 [MEDIUM] CWE-20 Magento 2 Community Edition Information Disclosure Magento 2 Community Edition Information Disclosure Names of disabled downloadable products could be disclosed due to inadequate validation of user input in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
ghsaosv
CVE-2019-8126P4MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22019-11-12
CVE-2019-8126 [MEDIUM] CWE-611 Information disclosure through processing of external XML entities Information disclosure through processing of external XML entities An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to informatio
ghsaosv
CVE-2019-7945P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7945 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-cite scripting vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to modify currency symbols can inject malicious javascript.
ghsaosv
CVE-2019-7882P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7882 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can inject malicious SWF files.
ghsaosv
CVE-2019-8138P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8138 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event.
ghsaosv
CVE-2025-27188P4MEDIUM≥ 0, < 2.4.4-p13≥ 2.4.5-p1, < 2.4.5-p12+3 more2025-04-08
CVE-2025-27188 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-24435P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24435 [MEDIUM] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to modify limited fields. Exploitation of this issue does not requir
ghsaosv
CVE-2020-9577P4MEDIUM≥ 0, < 2.3.4-p22022-05-24
CVE-2020-9577 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure .
ghsaosv
CVE-2020-9581P4MEDIUM≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9581 [MEDIUM] CWE-79 Magento stored cross-site scripting vulnerability Magento stored cross-site scripting vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv
CVE-2019-7939P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7939 [MEDIUM] CWE-79 Magento Reflected cross-site scripting on customer cart page Magento Reflected cross-site scripting on customer cart page A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's browser.
ghsaosv
CVE-2019-8124P4MEDIUM≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8124 [MEDIUM] CWE-345 Magento 2 Community Edition Insufficient Logging Magento 2 Community Edition Insufficient Logging An insufficient logging and monitoring vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Failure to track admin actions related to design configuration could lead to repudiation attacks.
ghsaosv
CVE-2019-7877P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7877 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manage orders can inject malicious javascript.
ghsaosv
CVE-2019-7925P4MEDIUM≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7925 [MEDIUM] CWE-22 Magento Insecure Direct Object Reference (IDOR) vulnerability Magento Insecure Direct Object Reference (IDOR) vulnerability An insecure direct object reference (IDOR) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an administrator with limited privileges to delete the downloadable products folder.
ghsaosv
CVE-2019-8152P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3, < 2.3.2-p22022-05-24
CVE-2019-8152 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the `blockDirective()` function and inject malicious javascript in the cache of the admin dashboard. As per [the Magento Release 2.3.3](h
ghsaosv
CVE-2019-7944P4MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7944 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting vulnerability exists in the product comments field of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the Return Product comments field can inject malicious javascript.
ghsaosv
CVE-2019-8129P4MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22022-05-24
CVE-2019-8129 [MEDIUM] CWE-79 Magento Cross-Site Scripting via Signifyd Guarantee Option Translation Override Magento Cross-Site Scripting via Signifyd Guarantee Option Translation Override A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting an embedded expression into a translation.
ghsaosv
Magento Community-Edition vulnerabilities | cvebase