cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 15 of 18
CVE-2019-8146P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8146 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release
ghsaosv
CVE-2019-8120P4MEDIUM≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8120 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user can inject arbitrary Javascript code by manipulating section of a POST request related to customer's email address.
ghsaosv
CVE-2019-8145P4MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12019-11-12
CVE-2019-8145 [MEDIUM] CWE-79 Magento Cross-Site Scripting via Attribute Set Name Magento Cross-Site Scripting via Attribute Set Name A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.
ghsaosv
CVE-2024-45122P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45122 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not
ghsaosv
CVE-2024-45125P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45125 [MEDIUM] CWE-863 Magento Open Source Incorrect Authorization vulnerability Magento Open Source Incorrect Authorization vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to have a low impact on integrity. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-24421P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24421 [MEDIUM] CWE-863 Magento Incorrect Authorization vulnerability Magento Incorrect Authorization vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to perform actions with permissions that were not granted. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-39412P4MEDIUM≥ 2.4.7-p1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39412 [MEDIUM] CWE-285 Magento Open Source Improper Authorization vulnerability Magento Open Source Improper Authorization vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user
ghsaosv
CVE-2023-29294P4LOW≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29294 [LOW] Magento Open Source has Business Logic Errors Vulnerability Magento Open Source has Business Logic Errors Vulnerability Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Business Logic Errors vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2019-8139P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8139 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary Javascript code into the dynamic block when invoking page builder on a product.
ghsaosv
CVE-2019-8092P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8092 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A reflected cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code via email template preview.
ghsaosv
CVE-2019-8131P4MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8131 [MEDIUM] CWE-79 Magento 2 Community Edition XSS Vulnerability Magento 2 Community Edition XSS Vulnerability A stored cross-site scripting (XSS) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can inject arbitrary JavaScript code into code field of an inventory source.
ghsaosv
CVE-2025-24436P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24436 [MEDIUM] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2021-28583P4HIGH≥ 2.4.0, < 2.4.2-p1≥ 0, < 2.3.72022-05-24
CVE-2021-28583 [HIGH] CWE-657 Magento Violation of Secure Design Principles vulnerability in RMA PDF filename formats Magento Violation of Secure Design Principles vulnerability in RMA PDF filename formats Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources.
ghsaosv
CVE-2024-20716P4MEDIUM≥ 2.4.6-p1, < 2.4.6-p4≥ 2.4.5-p1, < 2.4.5-p6+1 more2024-02-15
CVE-2024-20716 [MEDIUM] CWE-400 Magento Open Source allows Uncontrolled Resource Consumption Magento Open Source allows Uncontrolled Resource Consumption Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to an application denial-of-service. A high-privileged attacker could leverage this vulnerability to exhaust system resources, causing the application to slow down or crash. Exploitation of this is
ghsaosv
CVE-2024-34105P4MEDIUM≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34105 [MEDIUM] CWE-79 Magento Open Source Cross-Site Scripting (XSS) vulnerability Magento Open Source Cross-Site Scripting (XSS) vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulner
ghsaosv
CVE-2024-39404P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39404 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability Magento Improper Authorization vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-39416P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39416 [MEDIUM] CWE-285 Magento Improper Authorization leads to Security feature bypass Magento Improper Authorization leads to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use
ghsaosv
CVE-2024-39417P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39417 [MEDIUM] CWE-285 Magento Improper Authorization leads to Security feature bypass Magento Improper Authorization leads to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use
ghsaosv
CVE-2024-39415P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39415 [MEDIUM] CWE-285 Magento Improper Authorization Leading to Security feature bypass Magento Improper Authorization Leading to Security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require
ghsaosv
CVE-2024-39411P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39411 [MEDIUM] CWE-285 Magento Improper Authorization leads to security feature bypass Magento Improper Authorization leads to security feature bypass Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require use
ghsaosv
Magento Community-Edition vulnerabilities | cvebase