Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to stored XSS allowing a low-privileged attacker to inject malicious scripts and perform session takeover.
Root
Cause Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability. The flaw lies in insufficient sanitization of user-supplied input in form fields, allowing a low-privileged attacker to inject malicious JavaScript code that is stored and later executed in the browser of any victim viewing the affected page [1].
Attack
Vector Exploitation requires only low-privileged access to the Adobe Commerce instance, for example as a customer or administrative user with limited permissions. The attacker injects a malicious script into a vulnerable form field, which is then persisted on the server. When a victim—possibly another administrator or storefront user—navigates to the page containing that field, the script executes in their browser context with the origin and permissions of the legitimate application [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's session, leading to session takeover. This exposes both confidentiality and integrity impacts, as the attacker can perform actions on behalf of the victim, access sensitive data, and manipulate the application state [1].
Mitigation
Adobe has released security patches for affected versions: 2.4.4-p11, 2.4.5-p10, 2.4.6-p8, 2.4.7-p3 and later. Users should update to these patched versions immediately. The Magento Open Source codebase is available on GitHub for review [2]. No workarounds are documented; applying the latest patch is the recommended action.
- NVD - CVE-2025-24412
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <= 2.4.8-beta1
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-m4rg-mpp2-97pxghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24412ghsaADVISORY
News mentions
0No linked articles in our index yet.