cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 5 of 18
CVE-2024-39399P3HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39399 [HIGH] CWE-22 Magento Path Traversal vulnerability Magento Path Traversal vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A low-privileged attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue
ghsaosv
CVE-2021-36031P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36031 [HIGH] CWE-22 Magento Path Traversal vulnerability via the `theme[preview_image]` parameter Magento Path Traversal vulnerability via the `theme[preview_image]` parameter Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
ghsaosv
CVE-2021-36024P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36024 [HIGH] CWE-77 Magento is affected by an os command injection via the Data collection endpoint Magento is affected by an os command injection via the Data collection endpoint Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code executio
ghsaosv
CVE-2019-8141P3HIGH≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8141 [HIGH] CWE-502 Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.
ghsaosv
CVE-2022-34258P3MEDIUM≥ 2.3.0, < 2.3.7-p4≥ 2.4.4, < 2.4.5+1 more2022-08-17
CVE-2022-34258 [MEDIUM] CWE-79 Magento stored Cross-Site Scripting (XSS) vulnerability Magento stored Cross-Site Scripting (XSS) vulnerability Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker with admin privileges to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to t
ghsaosv
CVE-2021-36030P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36030 [HIGH] CWE-20 Magento allows attackers to alter the price of items Magento allows attackers to alter the price of items Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.
ghsaosv
CVE-2024-39402P3HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39402 [HIGH] CWE-78 Magento OS Command ('OS Command Injection') vulnerability Magento OS Command ('OS Command Injection') vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.
ghsaosv
CVE-2024-39401P3HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39401 [HIGH] CWE-78 Magento OS Command ('OS Command Injection') vulnerability Magento OS Command ('OS Command Injection') vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.
ghsaosv
CVE-2023-38220P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-beta2≥ 2.4.6-p1, < 2.4.6-p3+2 more2023-10-13
CVE-2023-38220 [MEDIUM] CWE-285 Magento Open Source allows Improper Authorization Magento Open Source allows Improper Authorization Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2021-36029P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36029 [HIGH] CWE-285 Magento improper authorization vulnerability Magento improper authorization vulnerability Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.
ghsaosv
CVE-2019-7932P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7932 [HIGH] CWE-94 Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary PHP code by creating a malicious sitemap file.
ghsaosv
CVE-2019-7903P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7903 [HIGH] CWE-94 Magento 2 Community Edition RCE Vulnerability Magento 2 Community Edition RCE Vulnerability A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to email templates can execute arbitrary code by previewing a malicious template.
ghsaosv
CVE-2019-7892P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7892 [HIGH] CWE-918 Magento 2 Community Edition RCE Vulnerability via SSRF Magento 2 Community Edition RCE Vulnerability via SSRF A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery.
ghsaosv
CVE-2019-8151P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8151 [HIGH] CWE-918 Magento Server-Side Request Forgery (SSRF) Magento Server-Side Request Forgery (SSRF) A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway. As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/htt
ghsaosv
CVE-2022-24093P3MEDIUM≥ 2.4.3-p1, < 2.4.3-p2≥ 2.3.7-p1, < 2.3.7-p32023-09-18
CVE-2022-24093 [MEDIUM] CWE-20 Magento Open Source affected by Improper Input Validation Magento Open Source affected by Improper Input Validation Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
ghsaosv
CVE-2024-20719P3HIGH≥ 2.4.6-p1, < 2.4.6-p4≥ 2.4.5-p1, < 2.4.5-p6+1 more2024-02-15
CVE-2024-20719 [HIGH] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be lev
ghsaosv
CVE-2025-49557P3HIGH≥ 0, < 2.4.4-p15≥ 2.4.5-p1, < 2.4.5-p14+2 more2025-08-12
CVE-2025-49557 [HIGH] CWE-79 Magento Cross-site Scripting vulnerability Magento Cross-site Scripting vulnerability Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data.
ghsaosv
CVE-2020-9587P3HIGH≥ 0, ≤ 2.2.11≥ 2.3.0, < 2.3.4-p22022-05-24
CVE-2020-9587 [HIGH] CWE-863 Magento authorization bypass vulnerability Magento authorization bypass vulnerability Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.
ghsaosv
CVE-2023-22249P3LOW≥ 2.4.4-p1, ≤ 2.4.4-p22023-07-06
CVE-2023-22249 [LOW] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS) Magento Open Source allows Cross-Site Scripting (XSS) Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable f
ghsaosv
CVE-2021-21015P3HIGH≥ 0, < 2.3.6-p1≥ 2.4.0, < 2.4.22022-05-24
CVE-2021-21015 [HIGH] CWE-78 Magento OS command injection via the customer attribute save controller Magento OS command injection via the customer attribute save controller Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploit
ghsaosv
Magento Community-Edition vulnerabilities | cvebase