cbcvebase.

Magento Community-Edition vulnerabilities

355 known vulnerabilities affecting magento/community-edition.

Total CVEs
355
CISA KEV
3
actively exploited
Public exploits
4
Exploited in wild
5
Severity breakdown
CRITICAL41HIGH105MEDIUM192LOW17

Vulnerabilities

Page 9 of 18
CVE-2019-7849P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7849 [HIGH] CWE-384 Magento 2 Community Edition Session Fixation Check Magento 2 Community Edition Session Fixation Check A defense-in-depth check was added to mitigate inadequate session validation handling by 3rd party checkout modules. This impacts Magento 1.x prior to 1.9.4.2, Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2.
ghsaosv
CVE-2019-7854P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7854 [HIGH] CWE-639 Magento 2 Community Edition IDOR Vulnerability Magento 2 Community Edition IDOR Vulnerability An insecure direct object reference (IDOR) vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unauthorized disclosure of company credit history details.
ghsaosv
CVE-2025-24408P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-p4≥ 2.4.6-p1, < 2.4.6-p9+2 more2025-02-11
CVE-2025-24408 [MEDIUM] CWE-200 Magento Information Exposure vulnerability Magento Information Exposure vulnerability Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Information Exposure vulnerability that could result in privilege escalation. A low-privileged attacker could gain unauthorized access to sensitive information. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2024-45116P3MEDIUM≥ 2.4.7-beta1, < 2.4.7-p3≥ 2.4.6-p1, < 2.4.6-p8+2 more2024-10-10
CVE-2024-45116 [MEDIUM] CWE-79 Magento Open Source Cross-Site Scripting (XSS) vulnerability Magento Open Source Cross-Site Scripting (XSS) vulnerability Magento Open Source versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code. If an admin attacker can trick a user into clicking a specially crafted link or submitting a form, malicious scripts may be executed within the context of
ghsaosv
CVE-2023-29289P3MEDIUM≥ 2.4.5-p1, < 2.4.5-p3≥ 2.4.4-p1, < 2.4.4-p42023-06-15
CVE-2023-29289 [MEDIUM] CWE-91 Magento Open Source allows XML Injection Magento Open Source allows XML Injection Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2019-7858P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7858 [HIGH] CWE-327 Magento 2 Community Edition Cryptographic Flaw Magento 2 Community Edition Cryptographic Flaw A cryptographic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9 and Magento 2.3 prior to 2.3.2 resulted in storage of sensitive information with an algorithm that is insufficiently resistant to brute force attacks.
ghsaosv
CVE-2019-7865P3HIGH≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7865 [HIGH] CWE-352 Magento 2 Community Edition CSRF Vulnerability Magento 2 Community Edition CSRF Vulnerability A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration.
ghsaosv
CVE-2024-39403P3HIGH≥ 2.4.7-beta1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39403 [HIGH] CWE-79 Magento Stored Cross-Site Scripting (XSS) vulnerability Magento Stored Cross-Site Scripting (XSS) vulnerability Magento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable fie
ghsaosv
CVE-2025-54265P3MEDIUM≥ 2.4.9-alpha1, < 2.4.9-alpha3≥ 2.4.8-beta1, < 2.4.8-p3+2 more2025-10-14
CVE-2025-54265 [MEDIUM] CWE-863 Magento allows incorrect authorization Magento allows incorrect authorization Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.
ghsaosv
CVE-2021-36037P3MEDIUM≥ 2.4.2-p1, < 2.4.2-p2≥ 0, < 2.3.7-p12022-05-24
CVE-2021-36037 [MEDIUM] CWE-285 Magento is affected by an improper authorization vulnerability Magento is affected by an improper authorization vulnerability Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
ghsaosv
CVE-2021-36012P3MEDIUM≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36012 [MEDIUM] Magento affected by a business logic error in the placeOrder graphql mutation Magento affected by a business logic error in the placeOrder graphql mutation Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.
ghsaosv
CVE-2019-8108P3MEDIUM≥ 2.2, < 2.2.10≥ 2.3, < 2.3.2-p22022-05-24
CVE-2019-8108 [MEDIUM] CWE-287 Magento Broken authentication and session managememt Magento Broken authentication and session managememt Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can manipulate session validation setting for a storefront that leads to insecure authentication and session management.
ghsaosv
CVE-2024-39406P3MEDIUM≥ 2.4.7-p1, < 2.4.7-p2≥ 2.4.6-p1, < 2.4.6-p7+2 more2024-08-14
CVE-2024-39406 [MEDIUM] CWE-22 Magento Open Source Path Traversal vulnerability Magento Open Source Path Traversal vulnerability Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exp
ghsaosv
CVE-2016-6485P3HIGH≥ 2.0, < 2.2.62019-11-20
CVE-2016-6485 [HIGH] CWE-327 Unauthenticated crypto and weak IV in Magento\Framework\Encryption Unauthenticated crypto and weak IV in Magento\Framework\Encryption The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.
ghsaosv
CVE-2019-7889P3MEDIUM≥ 2.1.0, < 2.1.18≥ 2.2.0, < 2.2.9+1 more2022-05-24
CVE-2019-7889 [MEDIUM] CWE-74 Magento 2 Community Edition Injection Vulnerability Magento 2 Community Edition Injection Vulnerability An injection vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modificati
ghsaosv
CVE-2021-28567P3MEDIUM≥ 2.4.0, < 2.4.2-p1≥ 0, < 2.3.72022-05-24
CVE-2021-28567 [MEDIUM] CWE-285 Magento Improper Authorization vulnerability in the customers module Magento Improper Authorization vulnerability in the customers module Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation.
ghsaosv
CVE-2019-8107P3MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.2-p12022-05-24
CVE-2019-8107 [MEDIUM] Magento 2 Community Edition Arbitrary File Deletion Magento 2 Community Edition Arbitrary File Deletion An arbitrary file deletion vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with export data transfer privileges can craft a request to perform arbitrary file deletion.
ghsaosv
CVE-2019-8090P3MEDIUM≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.32022-05-24
CVE-2019-8090 [MEDIUM] Magento 2 Community Edition Arbitrary File Deletion Magento 2 Community Edition Arbitrary File Deletion An arbitrary file deletion vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated users can manipulate the design layout update feature.
ghsaosv
CVE-2022-35698P4HIGH≥ 2.4.3-p1, ≤ 2.4.3-p32022-10-15
CVE-2022-35698 [HIGH] CWE-79 Magento Open Source allows Stored Cross-Site Scripting (Stored XSS) Magento Open Source allows Stored Cross-Site Scripting (Stored XSS) Adobe Commerce versions 2.4.3-p3 (and earlier), 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
ghsaosv
CVE-2021-36038P3MEDIUM≥ 0, < 2.3.7-p1≥ 2.4.2-p1, < 2.4.2-p22022-05-24
CVE-2021-36038 [MEDIUM] CWE-20 Magento discloses sensitive information via the Multishipping Module Magento discloses sensitive information via the Multishipping Module Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.
ghsaosv
Magento Community-Edition vulnerabilities | cvebase