Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Commerce is affected by a dependency on a vulnerable third‑party component that can crash the application. Because the crash terminates service, an attacker can trigger an application denial‑of‑service. The weakness is a CWE‑1395 failure to protect against a compromised third‑party module. No data indicates data loss or unauthorized access; the primary impact is loss of availability.

Affected Systems

Adobe Commerce versions 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases are vulnerable.

Risk and Exploitability

The CVSS score of 7.5 signals high severity. The EPSS score is not available, so the evidence base for exploitation probability is limited, and the vulnerability is not in the CISA KEV catalog. Exploitation does not require user interaction, implying that an attacker can trigger the crash without any human action, possibly via a crafted request to the application or by supplying a malicious dependency in the deployment package. The lack of user interaction also suggests that the attack could be automated and may impact multiple instances if the vulnerable component is widely used.

Generated by OpenCVE AI on May 12, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Commerce to the latest available release (for example, 2.5.x) where the vulnerable third‑party component has been removed or fixed.
  • If an immediate upgrade cannot be performed, uninstall or disable the vulnerable third‑party dependency from the application as a temporary workaround.
  • After applying the upgrade or removing the component, restart the Adobe Commerce service and enable monitoring of application logs to confirm that crashes no longer occur.

Generated by OpenCVE AI on May 12, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Title Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395)
Weaknesses CWE-1395
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T00:23:29.848Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34652

cve-icon Vulnrichment

Updated: 2026-05-13T00:23:25.398Z

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:36.273

Modified: 2026-05-12T20:16:36.273

Link: CVE-2026-34652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses