Adobe Commerce | Improper Input Validation (CWE-20)
Description
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions 2.4.9-alpha1 and earlier are vulnerable to an Improper Input Validation flaw that allows unauthenticated remote attackers to cause denial-of-service via crafted input.
The vulnerability is an Improper Input Validation issue in Adobe Commerce, affecting versions 2.4.4-p14 through 2.4.9-alpha1. The root cause is insufficient validation of user-supplied input, allowing an attacker to inject specially crafted data that causes the application to crash or become unresponsive [1].
Exploitation does not require any user interaction. An unauthenticated remote attacker can send a crafted request to the affected endpoints, triggering the input validation flaw. No special privileges or network position beyond standard internet connectivity is needed [1].
Successful exploitation leads to a denial-of-service condition, rendering the Adobe Commerce application unavailable to legitimate users. This can disrupt eCommerce operations, leading to potential revenue loss and reputational damage.
Adobe has released security updates to address this vulnerability in the affected versions. Users are advised to apply the latest patches available from the Adobe Security Bulletin to mitigate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha2 | 2.4.9-alpha2 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p2 | 2.4.8-p2 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p7 | 2.4.7-p7 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p12 | 2.4.6-p12 |
magento/community-editionPackagist | < 2.4.5-p14 | 2.4.5-p14 |
Affected products
2- Range: <=2.4.9-alpha1
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xgfm-992v-h2hrghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-71.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49554ghsaADVISORY
News mentions
0No linked articles in our index yet.