Cross-Site Request Forgery in Adobe Commerce Affects User Privileges
CVE-2025-49555

8.1HIGH

Key Information:

Vendor: Adobe
Status: Adobe Commerce
Vendor: CVE Published:; 12 August 2025

What is CVE-2025-49555?

Adobe Commerce versions including 2.4.9-alpha1 and earlier are susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw can enable a privileged attacker to exploit the trust of an authenticated user, leading to unauthorized actions on a vulnerable web application. Such exploitation necessitates the victim’s interaction, typically by visiting a malicious site or clicking on a specially crafted link, resulting in the potential for unauthorized access and manipulation of sensitive data.

Affected Version(s)

Adobe Commerce 0 <= 2.4.4-p14

References

https://helpx.adobe.com/security/products/magento/apsb25-...

vendor-advisory

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2025
Vulnerability Reserved
Jun 6, 2025