Adobe Commerce | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Description
Adobe Commerce is affected by an OS command injection vulnerability that allows an admin attacker to achieve arbitrary code execution with user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is affected by an OS command injection vulnerability that allows an admin attacker to achieve arbitrary code execution with user interaction.
Vulnerability
Overview
CVE-2024-39401 is an Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability in Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier [1]. The root cause is the application's failure to properly sanitize special elements when handling input that is used to construct OS commands, allowing an attacker to inject arbitrary commands this way.
Exploitation and
Attack Surface
The vulnerability requires an attacker to have administrative privileges on the targeted Adobe Commerce instance [1]. Additionally, exploitation requires user interaction, meaning another user must perform an action that triggers the injected command [1]. The attack scope is changed, indicating the injected command can affect resources beyond the vulnerable component. No other prerequisites such as network proximity or specific configuration are noted.
Impact
Successful exploitation of this OS command injection vulnerability allows an attacker to execute arbitrary code on the underlying server [1]. This can lead to full compromise of the affected system, including data exfiltration, modification of site content, credential theft, or further lateral movement within the network.
Mitigation
Status
Adobe has not released a patch as of the publication date. Users are advised to apply vendor-supplied updates once they become available, monitor vendor advisories, and restrict administrative access to trusted users [1]. This CVE has not yet been added to the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p2 | 2.4.7-p2 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p7 | 2.4.6-p7 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p9 | 2.4.5-p9 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p10 | 2.4.4-p10 |
Affected products
3- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p2+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p2
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8frp-pxq2-3gpqghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-61.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-39401ghsaADVISORY
News mentions
0No linked articles in our index yet.