Adobe Commerce versions prior to 2.4.9‑alpha3 contain a stored Cross‑Site Scripting (XSS) vulnerability that allows a high‑privileged attacker to inject malicious JavaScript into vulnerable form fields. When a victim’s browser loads the affected page, the injected script executes, potentially enabling session takeover. The vulnerability increases confidentiality and integrity impact to high, and requires the attacker to have high privileges to create the malicious input and a user to interact with the page.

Affected installations include Adobe Commerce 2.4.9‑alpha3, 2.4.8‑p3, 2.4.7‑p8, 2.4.6‑p13, 2.4.5‑p15, 2.4.4‑p16 and any earlier releases. The same issue exists in Magento Open Source releases with similar version numbers. The provided CPE list enumerates all these affected product lines.

The vulnerability has a CVSS score of 8.1 (High) and an EPSS score of less than 1 %, indicating a low probability of exploitation at this time. It is not listed in CISA's KEV catalog. Exploitation requires an attacker to have high privilege to submit malicious content and a victim must visit the vulnerable page for the payload to run, which limits the attack surface but still poses a significant risk for systems remaining on affected versions.