Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NAdobe Commerce
APPAdobe2.4.42.4.52.4.62.4.72.4.82.4.9Adobe Commerce B2b
APPAdobe1.3.31.3.41.4.21.5.21.5.3Adobe Magento
APPAdobe2.4.52.4.62.4.72.4.82.4.9
CISA KEV — detailsi
- Vendori
- Adobe ↗
- Producti
- Commerce and Magento
- Added to KEVi
- October 24, 2025
- Remediation deadline (US Federal)i
- November 14, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Adobe Commerce and Magento Open Source contain an improper input validation vulnerability that could allow an attacker to take over customer accounts through the Commerce REST API.
Related vulnerabilities
Krytyczna podatność XXE w Adobe Commerce umożliwiająca RCE
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input va...
Adobe Commerce — Incorrect Authorization umożliwiające privilege escalation
Adobe Commerce — nieprawidłowe uwierzytelnienie umożliwiające privilege escalation
Adobe Commerce — RCE poprzez nieograniczony upload niebezpiecznych plików