Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Scope is changed to that of other high-privileged accounts, leading to a high impact on confidentiality, integrity, and availability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Adobe Commerce (2.4.8 and earlier) allows high-privileged attackers to inject malicious scripts into form fields, impacting other privileged users.
Vulnerability
Overview
A stored Cross-Site Scripting (XSS) vulnerability exists in Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13, and earlier [1]. The root cause lies in insufficient sanitization of input in vulnerable form fields, allowing a high-privileged attacker to inject persistent malicious scripts [1].
Exploitation
Prerequisites and Attack Surface
Exploitation requires an authenticated attacker with high privileges (e.g., admin or similar role) within the Adobe Commerce backend [1]. The attacker injects the malicious payload into a form field that is subsequently rendered to other high-privileged users [1]. The attack does not require social engineering beyond standard administrative actions.
Impact
When a victim with high privileges browses to the affected page, the injected JavaScript executes in their browser [1]. This can lead to unauthorized data access, modification of configurations, or further compromise of the application, with high impact on confidentiality, integrity, and availability [1]. The scope change indicates the attack can affect resources beyond the initial vulnerable component.
Mitigation and
Status
Adobe has likely released security patches addressing this vulnerability; users should upgrade to the latest supported versions of Adobe Commerce [1][2]. The official product repository (Magento Open Source) may contain fix references [2]. As of publication, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
- NVD - CVE-2025-47110
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p1 | 2.4.8-p1 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p6 | 2.4.7-p6 |
magento/community-editionPackagist | < 2.4.5-p13 | 2.4.5-p13 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p11 | 2.4.6-p11 |
Affected products
3- Range: <=2.4.8
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-j934-vjh5-vf9rghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-47110ghsaADVISORY
News mentions
0No linked articles in our index yet.