Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Adobe Commerce allows low-privileged attackers to inject malicious scripts via form fields, leading to session takeover.
Vulnerability
Overview
CVE-2025-24416 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The flaw exists in vulnerable form fields where user-supplied input is not properly sanitized before storage, allowing an attacker to inject arbitrary JavaScript [1].
Exploitation
Prerequisites
A low-privileged attacker with basic access to the application can submit crafted payloads into these form fields. When an administrator or other victim subsequently browses to the page containing the stored payload, the malicious script executes in the context of their browser session [1]. This attack vector does not require network-level access or authentication bypass, relying instead on insufficient output encoding on the server side.
Impact
Successful exploitation enables JavaScript execution that can be used to hijack active user sessions. According to the advisory, this leads to high confidentiality and integrity impact as the attacker can impersonate the victim and perform unauthorized actions, including data exfiltration or privilege escalation within the Adobe Commerce backend [1].
Mitigation
Status
Adobe has addressed this vulnerability in security updates released with the February 2025 patch bundle. Users are strongly advised to upgrade to the latest patched versions or apply the official hotfixes as outlined in Adobe's security bulletin. No workarounds are publicly documented; the canonical repository for Magento Open Source is available for reference [2].
- NVD - CVE-2025-24416
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.8-beta1
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rjjw-g6hw-7pc9ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24416ghsaADVISORY
News mentions
0No linked articles in our index yet.