Adobe Commerce Cross-Site Request Forgery (CSRF) Could Lead To Unauthorized Cart Addition
Description
Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to customer cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Adobe Commerce via Wishlist Share Link allows unauthenticated attackers to add items to a victim's cart.
Vulnerability
Adobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier), and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability in the Wishlist Share Link feature. The vulnerability arises when a user clicks a malicious link crafted by an attacker, which triggers unauthorized actions on behalf of the authenticated user. No admin access is required for the vulnerable code path to be reachable [1].
Exploitation
An unauthenticated attacker can exploit this CSRF vulnerability by tricking a logged-in user into clicking a specially crafted link. The link leverages the Wishlist Share functionality to send a request that adds items to the victim's cart. No special network position or authentication is needed other than the victim being logged into their Adobe Commerce store [1].
Impact
Successful exploitation allows the attacker to add items to the victim's shopping cart without the victim's consent. This could lead to unwanted items being included in the cart, potentially resulting in unintended purchases or manipulation of the checkout process. The attacker gains no additional privileges beyond cart manipulation [1].
Mitigation
Not yet disclosed in the available references [1]. Users should monitor Adobe Security Bulletins for updates and apply any released patches as soon as possible.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.2-p1, <= 2.4.2-p2 | — |
magento/community-editionPackagist | < 2.3.7-p2 | 2.3.7-p2 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.2-p2, <=2.4.3, <=2.3.7p1
- ghsa-coords2 versions
>= 2.4.2-p1, <= 2.4.2-p2+ 1 more
- (no CPE)range: >= 2.4.2-p1, <= 2.4.2-p2
- (no CPE)range: <= 2.0.2
- Adobe/Magento Commercev5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-94wq-87g6-8h77ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39864ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb21-86.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.