Adobe Commerce | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Description
Adobe Commerce stores before 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, and 2.4.4-p9 contain an OS command injection vulnerability exploitable by an admin attacker via user interaction, leading to arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce stores before 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, and 2.4.4-p9 contain an OS command injection vulnerability exploitable by an admin attacker via user interaction, leading to arbitrary code execution.
Root
Cause
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [1]. The flaw stems from insufficient sanitization of special elements that can be merged into operating system commands, allowing an authenticated administrator to inject arbitrary commands [1].
Exploitation
An attacker must first gain administrative access to the Adobe Commerce application. Exploitation requires user interaction, meaning the administrator must perform a specific action, such as clicking a link or submitting a crafted request, for the attack to succeed [1]. The vulnerability's scope is changed, indicating the impact can extend beyond the vulnerable component (e.g., affecting adjacent network resources or other application components). [1]
Impact
Successful exploitation enables an admin attacker to execute arbitrary OS commands on the underlying server, leading to arbitrary code execution and full compromise of the affected system [1]. The attacker could install persistent backdoors, alter or exfiltrate data, or pivot to other internal systems depending on the deployment architecture.
Mitigation
Adobe has released security patches that address this vulnerability in versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, and 2.4.4-p9 [1]. Users running earlier versions are advised to upgrade immediately. As a defense-in-depth measure, organizations should restrict admin interface access to trusted IPs and enforce multi-factor authentication for admin accounts.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p2 | 2.4.7-p2 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p7 | 2.4.6-p7 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p9 | 2.4.5-p9 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p10 | 2.4.4-p10 |
Affected products
3- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p2+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p2
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2ff6-837j-hg5xghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb24-61.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-39402ghsaADVISORY
News mentions
0No linked articles in our index yet.