Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Published: 2026-05-12
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Adobe Commerce is vulnerable to a stored Cross‑Site Scripting flaw that can be exploited by a high‑privileged attacker to inject arbitrary JavaScript into form fields. When the victim visits the affected page, the injected scripts run within the victim’s browser, potentially compromising confidential data or performing actions on their behalf. The flaw is classified as CWE‑79 and raises the risk of confidentiality, integrity, and availability impact for affected users.

Affected Systems

The vulnerability affects Adobe Commerce versions 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases. The impacted product is Adobe Commerce from Adobe.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, and the exploitability score is not available, which does not preclude actual exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would need high‑privileged credentials to achieve injection, suggesting an internal threat model or privileged user must be compromised. The scope change implies a potential privilege escalation or broader impact once the attacker gains the necessary access.

Generated by OpenCVE AI on May 12, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe Commerce to a version that has fixed the stored XSS vulnerability, as documented in Adobe’s security advisory
  • If an immediate upgrade is not possible, disable or restrict access to the vulnerable form fields for all user roles except administrators, and sanitize any input before rendering
  • Implement content security policy headers that limit script execution and reduce the impact of any remaining XSS vectors

Generated by OpenCVE AI on May 12, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed.
Title Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-12T19:50:25.384Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34655

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:36.607

Modified: 2026-05-12T20:16:36.607

Link: CVE-2026-34655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses