Magento Community-Edition vulnerabilities
355 known vulnerabilities affecting magento/community-edition.
Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17
Vulnerabilities
Page 8 of 18
CVE-2024-45132P3HIGH≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45132 [HIGH] CWE-285 Magento Open Source Improper Authorization vulnerability
Magento Open Source Improper Authorization vulnerability
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect confidentiality. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-45118P3HIGH≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45118 [HIGH] CWE-284 Magento Open Source Improper Access Control vulnerability
Magento Open Source Improper Access Control vulnerability
Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and have high impact on integrity. Exploitation of this issue does not require
ghsaosv
CVE-2025-24427P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24427 [MEDIUM] CWE-284 Magento Improper Access Control vulnerability
Magento Improper Access Control vulnerability
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-49554P3HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha2≥ 2.4.8-beta1, < 2.4.8-p2+3 more2025-08-12
CVE-2025-49554 [HIGH] CWE-20 Magento vulnerable to denial of service
Magento vulnerable to denial of service
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require us
ghsaosv
CVE-2020-9588P3HIGH≥ 0, < 2.3.4-p22022-05-24
CVE-2020-9588 [HIGH] CWE-203 Magento Signature verification bypass
Magento Signature verification bypass
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
ghsaosv
CVE-2021-36043P3HIGH≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36043 [HIGH] CWE-918 Magento affected by a blind SSRF vulnerability in the bundled dotmailer extension
Magento affected by a blind SSRF vulnerability in the bundled dotmailer extension
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled.
ghsaosv
CVE-2019-7886P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7886 [HIGH] CWE-330 Magento 2 Community Edition Cryptographic Flaw
Magento 2 Community Edition Cryptographic Flaw
A cryptograhic flaw exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A weak cryptograhic mechanism is used to generate the intialization vector in multiple security relevant contexts.
ghsaosv
CVE-2019-7890P3HIGH≥ 2.1, < 2.1.18≥ 2.2, < 2.2.9+1 more2022-05-24
CVE-2019-7890 [HIGH] CWE-639 Magento 2 Community Edition IDOR Vulnerability
Magento 2 Community Edition IDOR Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability exists in the order processing workflow of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can lead to unauthorized access to order details.
ghsaosv
CVE-2020-24401P3MEDIUM≥ 0, < 2.4.12022-05-24
CVE-2020-24401 [MEDIUM] CWE-863 Magento 2 Community Edition Incorrect Authorization
Magento 2 Community Edition Incorrect Authorization
Magento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
ghsaosv
CVE-2020-24400P3HIGH≥ 0, < 2.3.6≥ 2.4.0, < 2.4.12022-05-24
CVE-2020-24400 [HIGH] CWE-89 Magento SQL Injection vulnerability
Magento SQL Injection vulnerability
Magento versions 2.4.0 and 2.3.5 (and earlier) are affected by an SQL Injection vulnerability that could lead to sensitive information disclosure. This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.
ghsaosv
CVE-2019-7860P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7860 [HIGH] CWE-338 Magento 2 Community Edition Weak PRNG
Magento 2 Community Edition Weak PRNG
A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
ghsaosv
CVE-2019-8143P3MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p12022-05-24
CVE-2019-8143 [MEDIUM] CWE-89 Magento Injection vulnerability via email templates
Magento Injection vulnerability via email templates
A SQL injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database.
ghsaosv
CVE-2023-38249P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-beta2≥ 2.4.6-p1, < 2.4.6-p3+2 more2023-10-13
CVE-2023-38249 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection
Magento Open Source allows SQL Injection
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte
ghsaosv
CVE-2023-38221P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-beta2≥ 2.4.6-p1, < 2.4.6-p3+2 more2023-10-13
CVE-2023-38221 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection
Magento Open Source allows SQL Injection
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte
ghsaosv
CVE-2023-38250P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-beta2≥ 2.4.6-p1, < 2.4.6-p3+2 more2023-10-13
CVE-2023-38250 [MEDIUM] CWE-89 Magento Open Source allows SQL Injection
Magento Open Source allows SQL Injection
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user inte
ghsaosv
CVE-2023-38209P3MEDIUM≥ 2.4.6-p1, < 2.4.6-p2≥ 2.4.5-p1, < 2.4.5-p4+1 more2023-08-09
CVE-2023-38209 [MEDIUM] CWE-863 Magento Open Source allows Incorrect Authorization
Magento Open Source allows Incorrect Authorization
Adobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2025-47110P3CRITICAL≥ 2.4.8-beta1, < 2.4.8-p1≥ 2.4.7-beta1, < 2.4.7-p6+2 more2025-06-10
CVE-2025-47110 [CRITICAL] CWE-79 Magneto contains stored XSS vulnerability
Magneto contains stored XSS vulnerability
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
ghsaosv
CVE-2025-54264P3HIGH≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54264 [HIGH] CWE-79 Magento vulnerable to stored Cross-Site Scripting (XSS)
Magento vulnerable to stored Cross-Site Scripting (XSS)
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page c
ghsaosv
CVE-2021-28563P3MEDIUM≥ 2.4.0, < 2.4.2-p1≥ 0, < 2.3.72022-05-24
CVE-2021-28563 [MEDIUM] CWE-285 Magento Unauthorized access to restricted resources
Magento Unauthorized access to restricted resources
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper Authorization vulnerability via the 'Create Customer' endpoint. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2019-7915P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7915 [HIGH] Magento 2 Community Edition DoS vulnerability
Magento 2 Community Edition DoS vulnerability
A denial-of-service vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. Under certain conditions, an unauthenticated attacker could force the Magento store's full page cache to serve a 404 page to customers.
ghsaosv