Unrestricted File Upload Vulnerability in Adobe Commerce Web Application
CVE-2026-48356

9.6CRITICAL

What is CVE-2026-48356?

Adobe Commerce is vulnerable to an unrestricted file upload issue that may allow an attacker to upload files of potentially harmful types, leading to arbitrary code execution within the context of the current user. This security weakness can be exploited through user interaction, such as visiting a specially crafted URL or engaging with a compromised web page. Successful exploitation may allow the attacker to inject malicious scripts, which could result in increased privileges or control over the affected user's session.

Affected Version(s)

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce B2B 0 <= 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.