Magento Commerce XML Injection Vulnerability In The 'City' Field Could Lead To Remote Code Execution
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento Commerce and Open Source are vulnerable to XML injection in the 'City' field, allowing unauthenticated remote code execution.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by an XML injection vulnerability in the 'City' field. The injection occurs when user-supplied input is improperly handled during XML processing, allowing an attacker to inject arbitrary XML elements. This vulnerability is reachable without authentication, as the 'City' field is typically part of the checkout or address input forms exposed to unauthenticated users [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted request containing malicious XML in the 'City' field. No special network position or prior authentication is required. The crafted script is processed by the application's XML parser, enabling the injection of arbitrary XML content that is then interpreted by the backend [1].
Impact
Successful exploitation allows the attacker to achieve remote code execution (RCE) on the underlying server. This grants the attacker full control over the affected system, leading to complete compromise of confidentiality, integrity, and availability (CIA) of the Magento instance and potentially associated data [1].
Mitigation
Adobe has released security updates to address this vulnerability. Users should upgrade to Magento Commerce 2.4.3, 2.4.2-p2, or 2.3.7-p1 (or later) as soon as possible. There are no known workarounds; applying the official patch is the recommended mitigation [1]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2, <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xvpx-6hh8-7h72ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36020ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.