Stored Cross-Site Scripting Vulnerability in Adobe Commerce
CVE-2026-48371

5.4MEDIUM

What is CVE-2026-48371?

Adobe Commerce is prone to a stored Cross-Site Scripting (XSS) vulnerability that enables low-privileged attackers to inject harmful scripts into vulnerable form fields. When users visit a webpage with an affected field, the malicious JavaScript can execute in their browser, potentially leading to data theft or session hijacking.

Affected Version(s)

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce 0 <= 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18

Adobe Commerce B2B 0 <= 1.5.3, 1.5.2-p5, 1.4.2-p10, 1.3.4-p17, 1.3.3-p18

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.