Magento Commerce CMS Page Improper Input Validation Could Lead To Remote Code Execution
Description
Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability to achieve remote code execution on the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento 2.4.2, 2.4.2-p1, and 2.3.7 are vulnerable to improper input validation in the CMS scheduled update feature, allowing an authenticated admin to achieve remote code execution.
CVE-2021-36021 describes an improper input validation vulnerability in the CMS page scheduled update feature of Adobe Magento. The affected versions are 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier). The root cause is that the feature fails to properly validate input, which allows an attacker to inject and execute arbitrary code on the server [1].
Exploitation
To exploit this vulnerability, an attacker must first authenticate as an administrative user on the Magento instance. No additional network-level or other authentication bypass is mentioned. The attack surface is the CMS page scheduled update functionality, where the improper input validation occurs. The attacker can craft a malicious input that, when processed by the scheduled update mechanism, leads to code injection [1].
Impact
Successful exploitation grants the attacker remote code execution on the underlying system. This means the attacker can execute arbitrary commands, potentially compromising the entire application, accessing sensitive data, modifying files, or pivoting to other systems. Because the attacker already has administrative privileges, the impact is severe, potentially leading to full server compromise [1].
Mitigation
Adobe has addressed this vulnerability in Magento versions 2.4.3, 2.4.2-p2, and 2.3.7-p1 or later. Users should upgrade to these patched versions immediately. The vendor's official repository provides the source code and release information [2].
- NVD - CVE-2021-36021
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- osv-coords3 versionspkg:bitnami/magentopkg:composer/magento/community-editionpkg:composer/magento/project-community-edition
< 2.3.7+ 2 more
- (no CPE)range: < 2.3.7
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-4g27-q2w9-m8m8ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2021-36021ghsaADVISORY
News mentions
0No linked articles in our index yet.