Adobe Commerce XSS Vulnerability

MEDIUM (4.8) No Patch (67 days)
cwe-79adobecommercee-commercephpvulnerabilityweb-appxss

Threat Intelligence

Medium Risk - Detectable
EPSS Score: 0.08% chance of exploitation (percentile: 24%)
🔍 Detection Tools: OSV.dev
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Adobe Commerce is an e-commerce platform used by many businesses. This vulnerability allows attackers to inject malicious scripts into vulnerable form fields, which can be executed in a victim's browser when they browse to the page containing the field. If your organization uses Adobe Commerce, you're at risk of having sensitive data stolen or manipulated.

Am I affected?

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected.

Check with: Adobe Commerce 2.x (use a package scanner like OSV.dev/Trivy/Grype)

Note: This is Adobe Commerce, not Magento, which is another e-commerce platform.

Affected Products

Adobe Inc. / Adobe Commerce

How to fix

  1. Upgrade to Adobe Commerce 2.5.0 or later.
  2. Maven: Update your pom.xml dependency version
  3. Immediate mitigations:
  4. Restrict network access to your Adobe Commerce instance (firewall it from the public internet)
  5. Audit admin account activity for suspicious access patterns
  6. Monitor for unauthorized token creation

References