cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 2 of 18
CVE-2019-8135P3CRITICAL≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22019-11-12
CVE-2019-8135 [CRITICAL] CWE-74 Remote code execution via vulnerable Symphony dependecy injection Remote code execution via vulnerable Symphony dependecy injection A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution. As per [the Magento Release 2.3.3](https://web.archive.org/we
ghsaosv
CVE-2022-34255P3HIGH≥ 2.3.0, < 2.3.7-p4≥ 2.4.4, < 2.4.5+1 more2022-08-17
CVE-2022-34255 [HIGH] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-34107P3MEDIUM≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34107 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2020-24407P3CRITICAL≥ 0, < 2.4.12022-05-24
CVE-2020-24407 [CRITICAL] CWE-434 Magento 2 Community Edition RCE via Unsafe File Upload Magento 2 Community Edition RCE via Unsafe File Upload Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
ghsaosv
CVE-2019-8111P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8111 [HIGH] Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
ghsaosv
CVE-2024-20758P3HIGH≥ 2.4.7-beta1, < 2.4.7≥ 2.4.6-p1, < 2.4.6-p5+2 more2024-04-10
CVE-2024-20758 [HIGH] CWE-20 Magento Open Source allows Improper Input Validation Magento Open Source allows Improper Input Validation Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but the attack complexity is high.
ghsaosv
CVE-2020-9585P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9585 [CRITICAL] Magento Defense-in-depth security mitigation vulnerability Magento Defense-in-depth security mitigation vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2019-8149P3CRITICAL≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8149 [CRITICAL] CWE-287 Magento Broken authentication and session managememt Magento Broken authentication and session managememt Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.
ghsaosv
CVE-2019-7876P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7876 [HIGH] Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
ghsaosv
CVE-2019-8130P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8130 [HIGH] CWE-89 Magento SQL injection vulnerability Magento SQL injection vulnerability A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates.
ghsaosv
CVE-2025-24411P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24411 [HIGH] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2019-8110P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8110 [HIGH] Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
ghsaosv
CVE-2024-34111P3MEDIUM≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34111 [MEDIUM] CWE-918 Magento Open Source Server-Side Request Forgery (SSRF) vulnerability Magento Open Source Server-Side Request Forgery (SSRF) vulnerability Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted request to the server, which could then cause the server to execute arbitrary
ghsaosv
CVE-2025-54263P3HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54263 [HIGH] CWE-863 Magento provides incorrect authorization through a security feature bypass Magento provides incorrect authorization through a security feature bypass Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require
ghsaosv
CVE-2021-36032P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36032 [HIGH] CWE-20 Magento is affected by an improper input validation vulnerability Magento is affected by an improper input validation vulnerability Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
ghsaosv
CVE-2022-34254P3HIGH≥ 2.3.0, < 2.3.7-p4≥ 2.4.0, < 2.4.3-p3+1 more2022-08-17
CVE-2022-34254 [HIGH] CWE-22 Magento Path Traversal vulnerability Magento Path Traversal vulnerability Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attacker to inject malicious scripts into the vulnerable endpoint. A low privileged attacker could leverage this vulnerability to read local files and to perform
ghsaosv
CVE-2019-7885P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7885 [HIGH] CWE-20 Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.
ghsaosv
CVE-2019-8150P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8150 [HIGH] Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-note
ghsaosv
CVE-2019-8137P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8137 [HIGH] Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update.
ghsaosv
CVE-2019-8122P3HIGH≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8122 [HIGH] Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
ghsaosv
Magento Community-Edition vulnerabilities | cvebase