Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 18 of 18
CVE-2019-7857P4MEDIUM≥ 2.2.0, < 2.2.9≥ 2.1.0, < 2.1.18+1 more2022-05-24
CVE-2019-7857 [MEDIUM] CWE-352 Magento Cross-Site Request Forgery (CSRF)
Magento Cross-Site Request Forgery (CSRF)
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.
ghsaosv
CVE-2025-24432P4LOW≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24432 [LOW] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it
ghsaosv
CVE-2025-24430P4LOW≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24430 [LOW] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it
ghsaosv
CVE-2020-24406P4LOW≥ 0, < 2.3.6≥ 2.4.0, < 2.4.12022-05-24
CVE-2020-24406 [LOW] CWE-200 Magento information disclosure vulnerability
Magento information disclosure vulnerability
When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.
ghsaosv
CVE-2020-24403P4LOW≥ 0, < 2.3.6≥ 2.4.0, < 2.4.12022-05-24
CVE-2020-24403 [LOW] CWE-285 Magento incorrect user permissions vulnerability within the Inventory component
Magento incorrect user permissions vulnerability within the Inventory component
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.
ghsaosv
CVE-2020-24404P4LOW≥ 0, < 2.3.6≥ 2.4.0, < 2.4.12022-05-24
CVE-2020-24404 [LOW] CWE-285 Magento 2 Community Edition vulnerable to Improper Authorization
Magento 2 Community Edition vulnerable to Improper Authorization
Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability within the Integrations component. This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.
ghsaosv
CVE-2024-45120P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45120 [MEDIUM] CWE-367 Magento Open Source Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Magento Open Source Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to alter a condition between the check and the use
ghsaosv
CVE-2021-28566P4LOW≥ 2.4.0, < 2.4.2-p1≥ 2.3.0, < 2.3.72022-05-24
CVE-2021-28566 [LOW] CWE-200 Magento Information Disclosure vulnerability
Magento Information Disclosure vulnerability
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2024-45135P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45135 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An admin attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user inter
ghsaosv
CVE-2025-49549P4LOW≥ 2.4.7-beta1, < 2.4.7-p6≥ 2.4.6-p1, < 2.4.6-p11+1 more2025-06-26
CVE-2025-49549 [LOW] CWE-863 Magento Authenticated Security feature bypass
Magento Authenticated Security feature bypass
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2023-29293P4LOW≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29293 [LOW] CWE-20 Magento Open Source affected by Improper Input Validation
Magento Open Source affected by Improper Input Validation
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not
ghsaosv
CVE-2024-45149P4LOW≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45149 [LOW] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not r
ghsaosv
CVE-2024-45134P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45134 [MEDIUM] CWE-200 Magento Open Source Information Exposure vulnerability
Magento Open Source Information Exposure vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user
ghsaosv
CVE-2024-45133P4MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45133 [MEDIUM] CWE-284 Magento Open Source Information Exposure vulnerability
Magento Open Source Information Exposure vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user
ghsaosv
CVE-2025-27192P4LOW≥ 2.4.7-beta1, < 2.4.7-p5≥ 2.4.6-p1, < 2.4.6-p10+3 more2025-04-08
CVE-2025-27192 [LOW] CWE-522 Magento does not properly protect credentials
Magento does not properly protect credentials
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this
ghsaosv
← Previous18 / 18