Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Description
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to a stored XSS allowing high-privileged users to inject scripts into form fields, executing in victims' browsers when the page is viewed.
Vulnerability
Details
CVE-2025-54266 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier [1]. The flaw resides in vulnerable form fields, where a high-privileged attacker (e.g., an admin or similar role) can inject malicious scripts. Because the input is stored on the server and later served to other users, this qualifies as a stored XSS [1].
Exploitation and
Attack Surface
Exploitation requires the attacker to have high privileges within the application, such as administrative access to content management or configuration forms [1]. The attacker injects JavaScript payloads into fields that are not properly sanitized. The stored script then executes in any victim's browser when they navigate to the page containing that field. User interaction is required only in that the victim must browse to the affected page [1]. The scope is changed, meaning the attack can affect resources beyond the vulnerable component [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data, defacement, or further malicious actions within the victim's Adobe Commerce environment [1].
Mitigation
Adobe has released security patches for this vulnerability in the latest versions of Adobe Commerce and Magento Open Source. Users are strongly advised to update to the patched versions (e.g., 2.4.9, 2.4.8-p3, 2.4.7-p8, etc.) as recommended in the official advisory [1]. No workarounds have been published beyond applying the patch. Organizations should prioritize applying the update, especially given the high-privilege attack vector.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha3 | 2.4.9-alpha3 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p3 | 2.4.8-p3 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p8 | 2.4.7-p8 |
magento/community-editionPackagist | < 2.4.6-p13 | 2.4.6-p13 |
Affected products
2- Range: <=2.4.4-p15
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-pcrx-r49h-x2w5ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-94.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-54266ghsaADVISORY
News mentions
0No linked articles in our index yet.