Magento Commerce Stored Cross-site Scripting Vulnerability
Description
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Magento Commerce 2.4.2 and earlier allows attackers to inject malicious JavaScript into form fields, executed when victims view the page.
Vulnerability
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by a stored cross-site scripting (XSS) vulnerability in vulnerable form fields. The vulnerability allows an attacker to inject arbitrary JavaScript into these fields, which is then stored and executed in the browser of any user who views the page containing the injected content [1].
Exploitation
An attacker with the ability to submit data to the affected form fields can inject malicious JavaScript. No special network position or authentication is required if the form is publicly accessible; however, if the form is restricted to authenticated users, the attacker must have valid credentials. The injected script is stored on the server and executed when a victim (e.g., an administrator or other user) navigates to the page that renders the field [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the Magento application. This can lead to session hijacking, theft of sensitive data (e.g., cookies, tokens), defacement, or further malicious actions on behalf of the victim [1].
Mitigation
Not yet disclosed in the available references. Users should monitor Adobe's security advisories for patched versions and apply updates as soon as they become available. As a general precaution, input validation and output encoding should be enforced on all form fields.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | < 2.3.7-p1 | 2.3.7-p1 |
magento/community-editionPackagist | >= 2.4.2-p1, < 2.4.2-p2 | 2.4.2-p2 |
Affected products
4- Range: <=2.4.2-p1, <=2.3.7
- ghsa-coords2 versions
< 2.3.7-p1+ 1 more
- (no CPE)range: < 2.3.7-p1
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-x2v2-2jhp-c5hvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36027ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-64.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.