Stored Cross-Site Scripting Vulnerability in Adobe Commerce
CVE-2026-47995

8.1HIGH

What is CVE-2026-47995?

Adobe Commerce is susceptible to a stored Cross-Site Scripting (XSS) vulnerability that enables high-privileged attackers to inject harmful scripts into vulnerable form fields. This vulnerability allows the execution of malicious JavaScript in the browser of users who access the page containing the compromised field, potentially leading to unauthorized access or control over the victim's account or session. It highlights the need for immediate security measures to protect sensitive user data and maintain the integrity of online transactions.

Affected Version(s)

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce B2B 0 <= 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.