Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 2 of 18
CVE-2019-8135P3CRITICAL≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22019-11-12
CVE-2019-8135 [CRITICAL] CWE-74 Remote code execution via vulnerable Symphony dependecy injection
Remote code execution via vulnerable Symphony dependecy injection
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution.
As per [the Magento Release 2.3.3](https://web.archive.org/we
ghsaosv
CVE-2022-34255P3HIGH≥ 2.3.0, < 2.3.7-p4≥ 2.4.4, < 2.4.5+1 more2022-08-17
CVE-2022-34255 [HIGH] CWE-284 Magento Improper Access Control vulnerability
Magento Improper Access Control vulnerability
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker with a low privilege account could leverage this vulnerability to perform an account takeover for a victim. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-34107P3MEDIUM≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34107 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2020-24407P3CRITICAL≥ 0, < 2.4.12022-05-24
CVE-2020-24407 [CRITICAL] CWE-434 Magento 2 Community Edition RCE via Unsafe File Upload
Magento 2 Community Edition RCE via Unsafe File Upload
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
ghsaosv
CVE-2019-8111P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8111 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage plugin functionality related to email templates to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
ghsaosv
CVE-2024-20758P3HIGH≥ 2.4.7-beta1, < 2.4.7≥ 2.4.6-p1, < 2.4.6-p5+2 more2024-04-10
CVE-2024-20758 [HIGH] CWE-20 Magento Open Source allows Improper Input Validation
Magento Open Source allows Improper Input Validation
Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but the attack complexity is high.
ghsaosv
CVE-2020-9585P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9585 [CRITICAL] Magento Defense-in-depth security mitigation vulnerability
Magento Defense-in-depth security mitigation vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2019-8149P3CRITICAL≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8149 [CRITICAL] CWE-287 Magento Broken authentication and session managememt
Magento Broken authentication and session managememt
Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can append arbitrary session id that will not be invalidated by subsequent authentication.
ghsaosv
CVE-2019-7876P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7876 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.
ghsaosv
CVE-2019-8130P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8130 [HIGH] CWE-89 Magento SQL injection vulnerability
Magento SQL injection vulnerability
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with store manipulation privileges can execute arbitrary SQL queries by getting access to the database connection through group instance in email templates.
ghsaosv
CVE-2025-24411P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24411 [HIGH] CWE-284 Magento Improper Access Control vulnerability
Magento Improper Access Control vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2019-8110P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8110 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage email templates hierarchy to manipulate the interceptor class in a way that allows an attacker to execute arbitrary code.
ghsaosv
CVE-2024-34111P3MEDIUM≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34111 [MEDIUM] CWE-918 Magento Open Source Server-Side Request Forgery (SSRF) vulnerability
Magento Open Source Server-Side Request Forgery (SSRF) vulnerability
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted request to the server, which could then cause the server to execute arbitrary
ghsaosv
CVE-2025-54263P3HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54263 [HIGH] CWE-863 Magento provides incorrect authorization through a security feature bypass
Magento provides incorrect authorization through a security feature bypass
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require
ghsaosv
CVE-2021-36032P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36032 [HIGH] CWE-20 Magento is affected by an improper input validation vulnerability
Magento is affected by an improper input validation vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
ghsaosv
CVE-2022-34254P3HIGH≥ 2.3.0, < 2.3.7-p4≥ 2.4.0, < 2.4.3-p3+1 more2022-08-17
CVE-2022-34254 [HIGH] CWE-22 Magento Path Traversal vulnerability
Magento Path Traversal vulnerability
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attacker to inject malicious scripts into the vulnerable endpoint. A low privileged attacker could leverage this vulnerability to read local files and to perform
ghsaosv
CVE-2019-7885P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7885 [HIGH] CWE-20 Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.
ghsaosv
CVE-2019-8150P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8150 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout.
As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-note
ghsaosv
CVE-2019-8137P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8137 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to manipulate CMS section of the website can trigger remote code execution via custom layout update.
ghsaosv
CVE-2019-8122P3HIGH≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8122 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
ghsaosv