Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to stored XSS (CVE-2025-24414) allowing low-privileged attackers to inject scripts leading to session takeover.
Vulnerability
Overview
CVE-2025-24414 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The root cause is insufficient sanitization of user-supplied data in form fields, allowing an attacker to inject malicious scripts that are persisted on the server. [1]
Exploitation
A low-privileged authenticated attacker can exploit this vulnerability by crafting input that, when stored in a vulnerable form field, will execute arbitrary JavaScript in the browser of any user (including administrators) who visits the affected page. The attack requires no special network access beyond standard web application interaction. [1]
Impact
Successful exploitation permits the attacker to execute scripts in the victim's session context. This can be abused to steal session cookies, perform actions on behalf of the victim, or deface content—effectively leading to session takeover and high confidentiality/integrity impact. [1]
Mitigation
Adobe has not yet released a patch as of the publication date, but they recommend applying security updates as soon as they become available. The official GitHub repository provides the source code for Magento Open Source (the base of Adobe Commerce), which may receive patches via normal releases. [1][2]
- NVD - CVE-2025-24414
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.8-beta1
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-fhw6-3mj5-w9gvghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24414ghsaADVISORY
News mentions
0No linked articles in our index yet.