Magento Community-Edition vulnerabilities

CVE-2025-24428 [MEDIUM] CWE-79 Magento stored Cross-Site Scripting (XSS) vulnerability Magento stored Cross-Site Scripting (XSS) vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page conta

CVE-2025-24424 [MEDIUM] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.

CVE-2025-24429 [LOW] CWE-284 Magento Improper Access Control vulnerability Magento Improper Access Control vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.

CVE-2025-24432 [LOW] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it

CVE-2025-24430 [LOW] CWE-367 Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it

CVE-2024-45118 [HIGH] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have high impact on integrity. Exploitation of this issue does not require

CVE-2024-45132 [HIGH] CWE-285 Magento Open Source Improper Authorization vulnerability Magento Open Source Improper Authorization vulnerability Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect confidentiality. Exploitation of this issue does not require user interaction.

CVE-2024-45124 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user intera

CVE-2024-45117 [MEDIUM] CWE-20 Magento Open Source Improper Input Validation vulnerability Magento Open Source Improper Input Validation vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An admin attacker could exploit this vulnerability to read files from the system outside of the intended directories via PHP filter chain and also can have a low

CVE-2024-45125 [MEDIUM] CWE-863 Magento Open Source Incorrect Authorization vulnerability Magento Open Source Incorrect Authorization vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to have a low impact on integrity. Exploitation of this issue does not require user interaction.

CVE-2024-45133 [MEDIUM] CWE-284 Magento Open Source Information Exposure vulnerability Magento Open Source Information Exposure vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An admin attacker could leverage this vulnerability to have a low impact on confidentiality which may aid in further attacks. Exploitation of this issue does not require user

CVE-2024-45129 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require us

CVE-2024-45128 [MEDIUM] CWE-285 Magento Open Source Improper Authorization vulnerability Magento Open Source Improper Authorization vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity and availability. Exploitation of this issue

CVE-2024-45123 [MEDIUM] CWE-79 Magento Open Source reflected Cross-Site Scripting (XSS) vulnerability Magento Open Source reflected Cross-Site Scripting (XSS) vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's brows

CVE-2024-45122 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on confidentiality. Exploitation of this issue does not

CVE-2024-45121 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not requi

CVE-2024-45130 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not requi

CVE-2024-45127 [MEDIUM] CWE-79 Magento Open Source stored Cross-Site Scripting (XSS) vulnerability Magento Open Source stored Cross-Site Scripting (XSS) vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the pag

CVE-2024-45116 [MEDIUM] CWE-79 Magento Open Source Cross-Site Scripting (XSS) vulnerability Magento Open Source Cross-Site Scripting (XSS) vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code. If an admin attacker can trick a user into clicking a specially crafted link or submitting a form, malicious scripts may be executed within the context of

CVE-2024-45135 [MEDIUM] CWE-284 Magento Open Source Improper Access Control vulnerability Magento Open Source Improper Access Control vulnerability Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An admin attacker could leverage this vulnerability to bypass security measures and have a low impact on integrity. Exploitation of this issue does not require user inter