Description
Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Published: 2026-03-11
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) leading to session takeover
Action: Patch Immediately
AI Analysis

Impact

Adobe Commerce versions 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and all earlier releases contain a stored XSS vulnerability that an attacker with high privileges can exploit by injecting malicious JavaScript into form fields that are not properly sanitized. The malicious script is delivered to a victim’s browser when the vulnerable page is visited and can result in session hijacking, thereby raising confidentiality and integrity impact to high.

Affected Systems

The affected software is Adobe Commerce (Magento) for all releases up to and including 2.4.9‑alpha3 and earlier. The affected versions are 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and all prior releases that are covered by the vendor’s product family.

Risk and Exploitability

The vulnerability has a CVSS score of 8.0, an EPSS score of less than 1%, and is not listed in CISA’s KEV catalog. Exploitation requires a privileged attacker who can submit payloads to form fields and a victim who subsequently visits the affected page. The attack vector is web‑based and would be successful if the attacker can convince a user to navigate to a page containing the malicious field.

Generated by OpenCVE AI on March 17, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Commerce security patch that addresses the cross‑site scripting flaw.
  • Verify that all form inputs are properly escaped or sanitized in the latest release.
  • If a patch cannot be applied immediately, restrict or disable access to the vulnerable form fields until remediation is complete.

Generated by OpenCVE AI on March 17, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:*:*:*:*:*:*:*:*
cpe:2.3:a:adobe:magento:*:*:*:*:open_source:*:*:*

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Adobe commerce
Adobe commerce B2b
Adobe magento
CPEs cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p16:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.4:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.5:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.6:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:b1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:b2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:beta3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.7:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:beta1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:beta2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.8:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce:2.4.9:alpha3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p16:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.3:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p14:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p15:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.4:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p10:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p11:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p12:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p13:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.3.5:p9:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p4:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p5:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p6:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p7:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.4.2:p8:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:-:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.2:p3:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha2:*:*:*:*:*:*
cpe:2.3:a:adobe:commerce_b2b:1.5.3:alpha3:*:*:*:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p10:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p11:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p12:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p13:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p14:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p15:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.5:p9:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p10:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p11:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p12:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p13:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.6:p9:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:b1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:b2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:beta3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p4:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p5:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p6:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p7:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.7:p8:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:-:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:beta1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:beta2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p1:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p2:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.8:p3:*:*:open_source:*:*:*
cpe:2.3:a:adobe:magento:2.4.9:alpha3:*:*:open_source:*:*:*
Vendors & Products Adobe commerce
Adobe commerce B2b
Adobe magento

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Wed, 11 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field.
Title Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Commerce Commerce Commerce B2b Magento
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-03-12T03:55:25.017Z

Reserved: 2025-12-12T22:01:18.192Z

Link: CVE-2026-21311

cve-icon Vulnrichment

Updated: 2026-03-11T13:46:15.103Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T03:15:55.510

Modified: 2026-03-11T18:08:37.897

Link: CVE-2026-21311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:20Z

Weaknesses