Adobe Commerce versions 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and any earlier edition contain a stored XSS flaw (CWE‑79). The vulnerability allows a low‑privileged attacker to inject malicious JavaScript into vulnerable form fields. When a user visits the affected page, the injected script is executed in the victim’s browser, enabling data theft, session hijack or other client‑side compromise.

The affected software is Adobe Commerce (Magento). Vulnerable releases include 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and any earlier version. All corresponding CPE strings represent these product lines, covering both Enterprise and open‑source editions.

The CVSS score of 5.4 indicates medium severity because the flaw requires user interaction. The EPSS score is below 1 %, suggesting low predicted exploitation frequency. The issue is not listed in CISA’s KEV catalog, and no publicly available exploit code is known. Attackers require a victim to access the affected page; once accessed, arbitrary scripts run in the victim’s browser. While the exploit is not currently widely automated, the potential for client‑side compromise remains and warrants timely remediation.