Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 6 of 18
CVE-2019-7861P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7861 [HIGH] CWE-434 Magento 2 Community Edition Unsafe File Upload
Magento 2 Community Edition Unsafe File Upload
Insufficient server-side validation of user input could allow an attacker to bypass file upload restrictions in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
ghsaosv
CVE-2019-7895P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7895 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.
ghsaosv
CVE-2019-7942P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7942 [HIGH] CWE-94 Magento 2 Community Edition RCE
Magento 2 Community Edition RCE
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create or edit a product can execute arbitrary code via malicious XML layout updates.
ghsaosv
CVE-2019-7896P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7896 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.
ghsaosv
CVE-2019-8119P3HIGH≥ 2.1.0, < 2.1.19≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8119 [HIGH] Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated admin user with import product privileges can delete files through bulk product import and inject code into XSLT file. The combination of these manipulations can lead to remote code execution.
ghsaosv
CVE-2019-8114P3HIGH≥ 0, < 1.9.4.3≥ 2.2.0, < 2.2.10+1 more2022-05-24
CVE-2019-8114 [HIGH] CWE-434 Magento 2 Community Edition RCE Vulnerability
Magento 2 Community Edition RCE Vulnerability
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload.
As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/http
ghsaosv
CVE-2021-28584P3MEDIUM≥ 2.4.0, < 2.4.2-p1≥ 0, < 2.3.72022-05-24
CVE-2021-28584 [MEDIUM] CWE-22 Magento Path Traversal vulnerability
Magento Path Traversal vulnerability
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2023-22247P3HIGH≥ 2.4.5-p1, < 2.4.5-p2≥ 2.4.4-p1, < 2.4.4-p32023-03-27
CVE-2023-22247 [HIGH] CWE-91 Magento Open Source allows XML Injection
Magento Open Source allows XML Injection
Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2023-22248P3MEDIUM≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.5-p42023-06-15
CVE-2023-22248 [MEDIUM] CWE-863 Magento Open Source affected by Improper Input Validation
Magento Open Source affected by Improper Input Validation
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-24438P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24438 [HIGH] CWE-79 Magento stored Cross-Site Scripting (XSS) vulnerability
Magento stored Cross-Site Scripting (XSS) vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2025-24416P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24416 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) Vulnerability
Magento Stored Cross-Site Scripting (XSS) Vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2025-24415P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24415 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) Vulnerability
Magento Stored Cross-Site Scripting (XSS) Vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2025-24410P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24410 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) Vulnerability
Magento Stored Cross-Site Scripting (XSS) Vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2025-24412P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24412 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) Vulnerability
Magento Stored Cross-Site Scripting (XSS) Vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2025-24413P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24413 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) Vulnerability
Magento Stored Cross-Site Scripting (XSS) Vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2025-24414P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24414 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) Vulnerability
Magento Stored Cross-Site Scripting (XSS) Vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2025-24417P3HIGH≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24417 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) Vulnerability
Magento Stored Cross-Site Scripting (XSS) Vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page contain
ghsaosv
CVE-2019-8112P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8112 [HIGH] CWE-345 Magento 2 Community Edition Security Bypass
Magento 2 Community Edition Security Bypass
A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation.
ghsaosv
CVE-2020-9591P3HIGH≥ 2.3.0, < 2.3.4-p2≥ 0, ≤ 2.2.112022-05-24
CVE-2020-9591 [HIGH] CWE-200 Magento defense-in-depth security mitigation vulnerability
Magento defense-in-depth security mitigation vulnerability
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to unauthorized access to admin panel.
ghsaosv
CVE-2020-3719P3HIGH≥ 2.3.0, < 2.3.4≥ 0, < 2.2.112022-05-24
CVE-2020-3719 [HIGH] CWE-89 Magento sql injection vulnerability
Magento sql injection vulnerability
Magento versions 2.3.3 and earlier, 2.2.10 and earlier, 1.14.4.3 and earlier, and 1.9.4.3 and earlier have an sql injection vulnerability. Successful exploitation could lead to sensitive information disclosure.
ghsaosv