Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 3 of 18
CVE-2023-38218P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-beta2≥ 2.4.6-p1, < 2.4.6-p3+2 more2023-10-13
CVE-2023-38218 [MEDIUM] CWE-20 Magento Open Source allows Incorrect Authorization
Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
ghsaosv
CVE-2021-21016P3CRITICAL≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.22022-05-24
CVE-2021-21016 [CRITICAL] CWE-78 Magento OS command injection via the WebAPI
Magento OS command injection via the WebAPI
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2019-7871P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7871 [HIGH] CWE-94 Magento 2 Community Edition Unsafe File Upload
Magento 2 Community Edition Unsafe File Upload
A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection.
ghsaosv
CVE-2019-8121P3HIGH≥ 2.2, < 2.2.10≥ 2.3, < 2.3.32019-11-12
CVE-2019-8121 [HIGH] Using JS libraries with known security vulnerabilities
Using JS libraries with known security vulnerabilities
An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.
ghsaosv
CVE-2019-8134P3HIGH≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8134 [HIGH] CWE-89 Magento SQL injection via marketing account with access to email templates variables
Magento SQL injection via marketing account with access to email templates variables
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables.
ghsaosv
CVE-2024-34104P3HIGH≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34104 [HIGH] CWE-285 Magento Open Source Improper Authorization vulnerability
Magento Open Source Improper Authorization vulnerability
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both confidentiality and integrity impact. Exploitation of this
ghsaosv
CVE-2025-24409P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24409 [HIGH] CWE-285 Adobe Commerce Improper Authorization vulnerability
Adobe Commerce Improper Authorization vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both confidentiality and integrity impact. Exploitation
ghsaosv
CVE-2021-21018P3CRITICAL≥ 0, < 2.3.6≥ 2.4.0, < 2.4.1-p12022-05-24
CVE-2021-21018 [CRITICAL] CWE-78 Magento OS Command Injection
Magento OS Command Injection
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2020-9630P3CRITICAL≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9630 [CRITICAL] CWE-269 Magento business logic error vulnerability
Magento business logic error vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.
ghsaosv
CVE-2021-21024P3CRITICAL≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.1-p12022-05-24
CVE-2021-21024 [CRITICAL] CWE-89 Magento Blind SQL Injection in the Search module
Magento Blind SQL Injection in the Search module
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a blind SQL injection vulnerability in the Search module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2019-8154P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8154 [HIGH] CWE-829 Magento remote code execution vulnerability
Magento remote code execution vulnerability
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.c
ghsaosv
CVE-2019-8158P3CRITICAL≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8158 [CRITICAL] CWE-91 Magento 2 Community Edition XML Injection
Magento 2 Community Edition XML Injection
An XPath entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An attacker can craft a GET request to page cache block rendering module that gets passed to XML data processing engine without validation. The crafted key/value GET request data allows an attacker to limited access to underlying XML data.
As per [the Magento Rel
ghsaosv
CVE-2019-8127P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8127 [HIGH] CWE-89 Magento 2 Community Edition SQLi Vulnerability
Magento 2 Community Edition SQLi Vulnerability
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to an account with Newsletter Template editing permission could exfiltrate the Admin login data, and reset their password, effectively performing a privilege escalation.
As per [the Magento Release 2.3.3](https://web.archive.org/
ghsaosv
CVE-2019-8093P3HIGH≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8093 [HIGH] CWE-434 Magento Information Disclosure via File upload functionality
Magento Information Disclosure via File upload functionality
An arbitrary file access vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can leverage file upload controller for downloadable products to read/delete an arbitary files.
ghsaosv
CVE-2022-42344P3HIGH≥ 0, < 2.3.7-p4≥ 2.4.0, < 2.4.3-p3+1 more2022-10-20
CVE-2022-42344 [HIGH] CWE-20 Magento Improper input validation vulnerability
Magento Improper input validation vulnerability
Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
ghsaosv
CVE-2024-34103P3CRITICAL≥ 2.4.6-p1, < 2.4.6-p6≥ 2.4.5-p1, < 2.4.5-p8+1 more2024-06-13
CVE-2024-34103 [CRITICAL] CWE-287 Magento Open Source Improper Authentication vulnerability
Magento Open Source Improper Authentication vulnerability
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interact
ghsaosv
CVE-2025-43585P3HIGH≥ 2.4.7-beta1, < 2.4.7-p6≥ 2.4.6-p1, < 2.4.6-p11+1 more2025-06-10
CVE-2025-43585 [HIGH] CWE-285 Magento Improper Authorization leading to security feature bypass
Magento Improper Authorization leading to security feature bypass
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a
ghsaosv
CVE-2021-21014P3CRITICAL≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.22022-05-24
CVE-2021-21014 [CRITICAL] CWE-434 Magento vulnerable to a file upload restriction bypass
Magento vulnerable to a file upload restriction bypass
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2019-8136P3CRITICAL≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8136 [CRITICAL] Magento 2 Community Edition Insecure Component
Magento 2 Community Edition Insecure Component
An insecure component vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Magento 2 codebase leveraged outdated versions of HTTP specification abstraction implemented in symphony component.
ghsaosv
CVE-2025-49556P3HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49556 [HIGH] CWE-863 Magento has incorrect authorization issue that leads to arbitrary file system read
Magento has incorrect authorization issue that leads to arbitrary file system read
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read ac
ghsaosv