Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A low-privileged attacker can inject stored XSS in Adobe Commerce form fields, leading to session takeover when a victim views the page.
Vulnerability
Details CVE-2025-49557 is a stored Cross-Site Scripting (XSS) vulnerability in Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier. The vulnerability resides in form fields that do not properly sanitize user input, allowing an attacker to store malicious scripts that execute in the context of a victim's browser session [1].
Exploitation
Prerequisites Exploitation requires a low-privileged attacker who can submit data to vulnerable form fields. The attack chain depends on user interaction: a victim must browse to the page containing the injected script. No special network position is required; the attacker can be authenticated with minimal privileges [1].
Impact
Successful exploitation enables session takeover, providing the attacker with the victim's session credentials. This leads to high confidentiality and integrity impact, as the attacker can access sensitive data and perform actions on behalf of the victim. The vulnerability changes the attack scope, meaning the impact may extend beyond the vulnerable component [1].
Mitigation
Adobe has not released a patch at the time of publication; affected versions include multiple release lines. Users should monitor Adobe Security Bulletins for updates and apply the latest available patches. As a workaround, restrict access to form submission endpoints where possible [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | < 2.4.4-p15 | 2.4.4-p15 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p14 | 2.4.5-p14 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p12 | 2.4.6-p12 |
magento/community-editionPackagist | >= 2.4.7-p1, < 2.4.7-p7 | 2.4.7-p7 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
2- Range: <=2.4.9-alpha1
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8mq8-c243-2335ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-71.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49557ghsaADVISORY
News mentions
0No linked articles in our index yet.