Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 7 of 18
CVE-2021-36044P3HIGH≥ 2.4.2-p1, < 2.4.2-p2≥ 0, < 2.3.7-p12022-05-24
CVE-2021-36044 [HIGH] CWE-20 Magento affected by a server-side denial-of-service using a GraphQL field
Magento affected by a server-side denial-of-service using a GraphQL field
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.
ghsaosv
CVE-2019-7911P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7911 [HIGH] CWE-918 Magento 2 Community Edition Server-Side Request Forgery vulnerability
Magento 2 Community Edition Server-Side Request Forgery vulnerability
A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to the admin panel to manipulate system configu
ghsaosv
CVE-2023-29297P3HIGH≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29297 [HIGH] CWE-1336 Magento Open Source allows Improper Neutralization of Special Elements Used
Magento Open Source allows Improper Neutralization of Special Elements Used
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue do
ghsaosv
CVE-2019-8109P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8109 [HIGH] CWE-352 Magento 2 Community Edition RCE Vulnerability via CSRF
Magento 2 Community Edition RCE Vulnerability via CSRF
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can craft a malicious CSRF payload that can result in arbitrary command execution.
ghsaosv
CVE-2025-54267P3MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54267 [MEDIUM] CWE-863 Magento vulnerable to privilege escalation due to incorrect authorization
Magento vulnerable to privilege escalation due to incorrect authorization
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity im
ghsaosv
CVE-2019-8156P3HIGH≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p22022-05-24
CVE-2019-8156 [HIGH] CWE-918 Magento 2 Community Edition SSRF vulnerability
Magento 2 Community Edition SSRF vulnerability
A server-side request forgery (SSRF) vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to modify store configurations can manipulate the connector api endpoint to enable remote code execution.
As per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.m
ghsaosv
CVE-2019-7912P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7912 [HIGH] CWE-434 Magento Filter extension bypass via crafted store configuration keys
Magento Filter extension bypass via crafted store configuration keys
A file upload filter bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to edit configuration keys to remove file extension filters, potentially resulting in the malicious upload and execution of malicious files
ghsaosv
CVE-2019-7859P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7859 [HIGH] CWE-22 Magento 2 Community Edition Path Traversal Vulnerability
Magento 2 Community Edition Path Traversal Vulnerability
A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control.
ghsaosv
CVE-2019-7913P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7913 [HIGH] CWE-918 Magento 2 Community Edition SSRF vulnerability
Magento 2 Community Edition SSRF vulnerability
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code.
ghsaosv
CVE-2019-7923P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7923 [HIGH] CWE-918 Magento 2 Community Edition SSRF vulnerability
Magento 2 Community Edition SSRF vulnerability
A server-side request forgery (SSRF) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code.
ghsaosv
CVE-2019-8229P3HIGH≥ 0, < 1.9.4.32022-05-24
CVE-2019-8229 [HIGH] Withdrawn Advisory: Magento 2 Community Edition RCE Vulnerability
Withdrawn Advisory: Magento 2 Community Edition RCE Vulnerability
## Withdrawn Advisory
This advisory has been withdrawn because the vulnerability does not affect a package in one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems). This link is maintained to preserve external references.
## Original Description
In M
ghsa
CVE-2019-7951P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7951 [HIGH] CWE-200 Magento 2 Community Edition Information Leak
Magento 2 Community Edition Information Leak
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via crafted SOAP requests.
ghsaosv
CVE-2025-49555P3HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49555 [HIGH] CWE-352 Magento Cross-Site Request Forgery (CSRF) vulnerability
Magento Cross-Site Request Forgery (CSRF) vulnerability
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially all
ghsaosv
CVE-2023-38207P3LOW≥ 2.4.6-p1, < 2.4.6-p2≥ 2.4.5-p1, < 2.4.5-p4+1 more2023-08-09
CVE-2023-38207 [LOW] CWE-91 Magento Open Source allows XML Injection
Magento Open Source allows XML Injection
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2023-38219P3LOW≥ 2.4.7-beta1, < 2.4.7-beta2≥ 2.4.6-p1, < 2.4.6-p3+2 more2023-10-13
CVE-2023-38219 [LOW] CWE-79 Magento Open Source allows Cross-Site Scripting (XSS)
Magento Open Source allows Cross-Site Scripting (XSS)
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when t
ghsaosv
CVE-2020-9691P3CRITICAL≥ 0, < 2.3.5-p22022-05-24
CVE-2020-9691 [CRITICAL] CWE-79 Magento DOM-based Cross-site scripting vulnerability
Magento DOM-based Cross-site scripting vulnerability
Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.
ghsaosv
CVE-2024-45117P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45117 [MEDIUM] CWE-20 Magento Open Source Improper Input Validation vulnerability
Magento Open Source Improper Input Validation vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An admin attacker could exploit this vulnerability to read files from the system outside of the intended directories via PHP filter chain and also can have a low
ghsaosv
CVE-2025-24424P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24424 [MEDIUM] CWE-284 Magento Improper Access Control vulnerability
Magento Improper Access Control vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2021-21030P3HIGH≥ 0, < 2.3.6≥ 2.4.0, < 2.4.1-p12022-05-24
CVE-2021-21030 [HIGH] CWE-79 Magento stored cross-site scripting (XSS) in the customer address upload feature
Magento stored cross-site scripting (XSS) in the customer address upload feature
Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires
ghsaosv
CVE-2019-7928P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7928 [HIGH] Magento 2 Community Edition DoS vulnerability
Magento 2 Community Edition DoS vulnerability
A denial-of-service (DoS) vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. By abusing insufficient brute-forcing defenses in the token exchange protocol, an unauthenticated attacker could disrupt transactions between the Magento merchant and PayPal.
ghsaosv