Description
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Published: 2026-05-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting vulnerability in Adobe Commerce allows an attacker with low privileges to inject malicious JavaScript into form fields. The injected script executes in the victim’s browser when the page containing the field is viewed, enabling the attacker to gain elevated access or take control over the victim’s account or session. The vulnerability is rated as a high severity flaw due to the potential impact on confidentiality, integrity, and availability on a client‑side basis.

Affected Systems

Adobe Commerce (formerly Magento) versions 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases are affected. System administrators should review which exact releases are in use to determine if they fall within the affected set.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity risk. The EPSS score is not available, but the lack of listing in the CISA KEV catalog indicates no known large‑scale exploitation yet. Attackers can exploit this by submitting malicious content to any writable form field, after which any user who accesses the page will run the script. The scope change means that an attacker can compromise a user’s session beyond the original attacker’s own privileges, increasing the damage potential.

Generated by OpenCVE AI on May 12, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Adobe Commerce release that contains the fix for this XSS issue.
  • Apply any security patches or updates released by Adobe as referenced in the official advisory.
  • Configure input validation and sanitization for all writable fields, and consider employing a content security policy to limit script execution.

Generated by OpenCVE AI on May 12, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Commerce
Vendors & Products Adobe
Adobe adobe Commerce

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed.
Title Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-12T19:50:32.687Z

Reserved: 2026-03-30T17:30:36.496Z

Link: CVE-2026-34686

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:38.597

Modified: 2026-05-12T20:16:38.597

Link: CVE-2026-34686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses