cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 4 of 18
CVE-2019-7950P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7950 [HIGH] CWE-639 Magento 2 Community Edition Access Control Bypass Magento 2 Community Edition Access Control Bypass An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.
ghsaosv
CVE-2021-36036P3CRITICAL≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22023-09-06
CVE-2021-36036 [CRITICAL] CWE-284 Magento improper access control vulnerability within Magento's Media Gallery Upload workflow Magento improper access control vulnerability within Magento's Media Gallery Upload workflow Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker wit
ghsaosv
CVE-2021-21019P3CRITICAL≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.1-p12022-05-24
CVE-2021-21019 [CRITICAL] CWE-91 Magento XML injection in the Widgets module Magento XML injection in the Widgets module Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2021-21025P3CRITICAL≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.1-p12022-05-24
CVE-2021-21025 [CRITICAL] CWE-91 Magento XPath Injection Magento XPath Injection Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2021-36033P3CRITICAL≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36033 [CRITICAL] CWE-91 Magento XML Injection vulnerability in the Widgets Module Magento XML Injection vulnerability in the Widgets Module Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
ghsaosv
CVE-2021-36042P3CRITICAL≥ 2.4.2-p1, < 2.4.2-p2≥ 0, < 2.3.7-p12022-05-24
CVE-2021-36042 [CRITICAL] CWE-20 Magento executes code via the API File Option Upload Extension Magento executes code via the API File Option Upload Extension Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.
ghsaosv
CVE-2021-36023P3CRITICAL≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22023-09-06
CVE-2021-36023 [CRITICAL] CWE-78 Magento XML Injection vulnerability in the Widgets Update Layout Magento XML Injection vulnerability in the Widgets Update Layout Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
ghsaosv
CVE-2023-38208P3HIGH≥ 2.4.6-p1, < 2.4.6-p2≥ 2.4.5-p1, < 2.4.5-p4+1 more2023-08-09
CVE-2023-38208 [HIGH] CWE-78 Magento Open Source allows Improper Neutralization of Special Elements Used Magento Open Source allows Improper Neutralization of Special Elements Used Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploi
ghsaosv
CVE-2021-36021P3CRITICAL≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22023-09-06
CVE-2021-36021 [CRITICAL] CWE-20 Magento affected by remote code execution vulnerability in the CMS page scheduled update feature Magento affected by remote code execution vulnerability in the CMS page scheduled update feature Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulner
ghsaosv
CVE-2024-39398P3HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39398 [HIGH] CWE-307 Magento does not properly restrict excessive authentication attempts Magento does not properly restrict excessive authentication attempts Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to acco
ghsaosv
CVE-2021-21029P4MEDIUM≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.22022-05-24
CVE-2021-21029 [MEDIUM] CWE-79 Magento Reflected Cross-site Scripting vulnerability via 'file' parameter Magento Reflected Cross-site Scripting vulnerability via 'file' parameter Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a Reflected Cross-site Scripting vulnerability via 'file' parameter. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful e
ghsaosv
CVE-2022-34253P3CRITICAL≥ 0, < 2.3.7-p4≥ 2.4.4, < 2.4.5+1 more2022-08-17
CVE-2022-34253 [CRITICAL] CWE-91 Magento XML Injection vulnerability in the Widgets Module Magento XML Injection vulnerability in the Widgets Module Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2021-36022P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36022 [HIGH] CWE-74 Magento XML Injection vulnerability in the Widgets Update Layout Magento XML Injection vulnerability in the Widgets Update Layout Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
ghsaosv
CVE-2021-36028P3CRITICAL≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36028 [CRITICAL] CWE-91 Magento has an XML Injection vulnerability Magento has an XML Injection vulnerability Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.
ghsaosv
CVE-2021-36040P3CRITICAL≥ 2.4.2-p1, < 2.4.2-p2≥ 0, < 2.3.7-p12022-05-24
CVE-2021-36040 [CRITICAL] CWE-20 Magento has a file extension restrictions bypass Magento has a file extension restrictions bypass Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution.
ghsaosv
CVE-2021-36025P3CRITICAL≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36025 [CRITICAL] CWE-20 Magento is affected by an improper input validation vulnerability while saving a customer's details Magento is affected by an improper input validation vulnerability while saving a customer's details Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges
ghsaosv
CVE-2019-7930P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7930 [HIGH] CWE-434 Magento 2 Community Unrestricted File Upload Magento 2 Community Unrestricted File Upload A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a mali
ghsaosv
CVE-2021-36041P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36041 [HIGH] CWE-20 Magento vulnerable to file upload attack Magento vulnerable to file upload attack Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/media` directory could lead to remote code execution.
ghsaosv
CVE-2021-36034P3HIGH≥ 2.4.2-p1, < 2.4.2-p2≥ 0, < 2.3.7-p12022-05-24
CVE-2021-36034 [HIGH] CWE-20 Magento affected by remote code execution via a file upload Magento affected by remote code execution via a file upload Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.
ghsaosv
CVE-2025-24406P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24406 [HIGH] CWE-22 Adobe Commerce Path Traversal Adobe Commerce Path Traversal Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not
ghsaosv
Magento Community-Edition vulnerabilities | cvebase