Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Commerce versions up to 2.4.9‑beta1 contain a dependency on a vulnerable third‑party component that can be exploited to crash the application server, resulting in a denial of service. The flaw is a component‑level weakness (CWE‑1395) that allows an attacker to trigger an application crash without any user interaction, compromising availability.

Affected Systems

The affected vendor is Adobe and the product is Adobe Commerce. All releases through version 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and any earlier builds are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. Because the EPSS score is not available, the precise likelihood of exploitation cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. The description states that exploitation does not require user interaction; the attack can be carried out remotely by an adversary delivering requests to a vulnerable component, causing the application to crash and denying service to legitimate users.

Generated by OpenCVE AI on May 12, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the official security patch or upgrade Adobe Commerce to a release newer than 2.4.9‑beta1 that removes the vulnerable component
  • If an immediate patch is not available, replace or disable the impacted third‑party module until an update is released
  • Continuously monitor application logs for repeated crashes and enforce rate limiting on exposed APIs to mitigate potential exploitation attempts

Generated by OpenCVE AI on May 12, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Title Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395)
Weaknesses CWE-1395
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T00:22:45.356Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34654

cve-icon Vulnrichment

Updated: 2026-05-13T00:22:40.927Z

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:36.500

Modified: 2026-05-12T20:16:36.500

Link: CVE-2026-34654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses