Stored Cross-Site Scripting Vulnerability in Adobe Commerce
CVE-2026-47994

8.7HIGH

What is CVE-2026-47994?

Adobe Commerce is impacted by a stored Cross-Site Scripting (XSS) vulnerability, allowing a low-privileged attacker to inject malicious scripts into vulnerable form fields. When users interact with these fields, the malicious JavaScript could execute in their browsers. This exploitation poses a risk of unauthorized access or control over the affected user's account, compromising session security. Proper sanitization and validation measures are essential to mitigate this vulnerability effectively.

Affected Version(s)

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce B2B 0 <= 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.