Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Description
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce SQL injection in admin functionality allows authenticated admin attacker to achieve arbitrary code execution (CVE-2023-38221).
CVE-2023-38221 is an SQL injection vulnerability in Adobe Commerce affecting versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier, and 2.4.4-p5 and earlier. The issue arises from improper neutralization of special elements used in SQL commands, enabling an attacker to inject malicious SQL code into database queries [1].
Exploitation requires an attacker with administrative privileges and is considered of high complexity, as it demands knowledge of tooling beyond the standard user interface. No user interaction is necessary for the attack [1].
Successful exploitation could lead to arbitrary code execution on the underlying server, potentially compromising the entire e-commerce platform and its data [1].
Administrators of affected systems should apply the latest security updates provided by Adobe. No workarounds have been published, and the vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-beta2 | 2.4.7-beta2 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p3 | 2.4.6-p3 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p5 | 2.4.5-p5 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p6 | 2.4.4-p6 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.7-beta1, <=2.4.6-p2, <=2.4.5-p4, <=2.4.4-p5
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-beta2+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-beta2
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-ggr8-3hwx-4f2mghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb23-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-38221ghsaADVISORY
News mentions
0No linked articles in our index yet.