Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/580532?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/580532?format=api", "purl": "pkg:composer/magento/project-community-edition@0.42.0-beta1", "type": "composer", "namespace": "magento", "name": "project-community-edition", "version": "0.42.0-beta1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111547?format=api", "vulnerability_id": "VCID-1b6m-qfes-mqab", "summary": "Magento Insufficient Session Expiration\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21031", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38019", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38109", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21031" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21031", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21031" }, { "reference_url": "https://github.com/advisories/GHSA-4h3p-63x6-vwg2", "reference_id": "GHSA-4h3p-63x6-vwg2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4h3p-63x6-vwg2" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21031", "GHSA-4h3p-63x6-vwg2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1b6m-qfes-mqab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57823?format=api", "vulnerability_id": "VCID-1jsp-392b-2fgb", "summary": "Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability\nMagento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a resource's state and its use, allowing unauthorized write access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49558", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00505", "scoring_system": "epss", "scoring_elements": "0.66592", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49558" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-13T15:04:13Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49558", "reference_id": "CVE-2025-49558", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49558" }, { "reference_url": "https://github.com/advisories/GHSA-wcmw-8xpp-rwfj", "reference_id": "GHSA-wcmw-8xpp-rwfj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wcmw-8xpp-rwfj" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49558", "GHSA-wcmw-8xpp-rwfj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1jsp-392b-2fgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111549?format=api", "vulnerability_id": "VCID-1vw9-9rmg-ekdz", "summary": "Magento command injection vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9578", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0323", "scoring_system": "epss", "scoring_elements": "0.87306", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0323", "scoring_system": "epss", "scoring_elements": "0.87328", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9578" }, { "reference_url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9578", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9578" }, { "reference_url": "https://github.com/advisories/GHSA-724x-gqhv-9c5x", "reference_id": "GHSA-724x-gqhv-9c5x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-724x-gqhv-9c5x" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9578", "GHSA-724x-gqhv-9c5x" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1vw9-9rmg-ekdz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111949?format=api", "vulnerability_id": "VCID-2fd4-t2w2-8uhd", "summary": "Magento stored cross-site scripting vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure .", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9577", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00319", "scoring_system": "epss", "scoring_elements": "0.55278", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00319", "scoring_system": "epss", "scoring_elements": "0.55335", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9577" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9577", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9577" }, { "reference_url": "https://github.com/advisories/GHSA-689w-2f93-2x67", "reference_id": "GHSA-689w-2f93-2x67", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-689w-2f93-2x67" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9577", "GHSA-689w-2f93-2x67" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2fd4-t2w2-8uhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112156?format=api", "vulnerability_id": "VCID-2g87-y8ek-xfdr", "summary": "Magento affected by a server-side denial-of-service using a GraphQL field\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An unauthenticated attacker could abuse this vulnerability to cause a server-side denial-of-service using a GraphQL field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36044", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01739", "scoring_system": "epss", "scoring_elements": "0.82853", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01739", "scoring_system": "epss", "scoring_elements": "0.82879", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36044" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36044", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36044" }, { "reference_url": "https://github.com/advisories/GHSA-wr57-3h2f-3q95", "reference_id": "GHSA-wr57-3h2f-3q95", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wr57-3h2f-3q95" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36044", "GHSA-wr57-3h2f-3q95" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2g87-y8ek-xfdr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45420?format=api", "vulnerability_id": "VCID-2h52-3pt6-dfcw", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29296", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0012", "scoring_system": "epss", "scoring_elements": "0.30629", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29296" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:03Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29296", "reference_id": "CVE-2023-29296", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29296" }, { "reference_url": "https://github.com/advisories/GHSA-3qr4-w96f-672v", "reference_id": "GHSA-3qr4-w96f-672v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3qr4-w96f-672v" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29296", "GHSA-3qr4-w96f-672v" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2h52-3pt6-dfcw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111728?format=api", "vulnerability_id": "VCID-2ttz-k7d2-jucf", "summary": "Magento is affected by an os command injection via the Data collection endpoint\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper Neutralization of Special Elements Used In A Command via the Data collection endpoint. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36024", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08668", "scoring_system": "epss", "scoring_elements": "0.92607", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.08668", "scoring_system": "epss", "scoring_elements": "0.9262", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36024" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36024", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36024" }, { "reference_url": "https://github.com/advisories/GHSA-qmq6-jpvg-j547", "reference_id": "GHSA-qmq6-jpvg-j547", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmq6-jpvg-j547" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36024", "GHSA-qmq6-jpvg-j547" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ttz-k7d2-jucf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56632?format=api", "vulnerability_id": "VCID-2vsw-t8k2-4bfm", "summary": "Adobe Commerce Improper Authorization vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both confidentiality and integrity impact. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24409", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.34796", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24409" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-11T19:11:11Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24409", "reference_id": "CVE-2025-24409", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24409" }, { "reference_url": "https://github.com/advisories/GHSA-vw47-79jv-3598", "reference_id": "GHSA-vw47-79jv-3598", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vw47-79jv-3598" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24409", "GHSA-vw47-79jv-3598" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2vsw-t8k2-4bfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45958?format=api", "vulnerability_id": "VCID-36ve-7wxt-z7fz", "summary": "Magento affected by remote code execution vulnerability in the CMS page scheduled update feature\nMagento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability to achieve remote code execution on the system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36021", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01308", "scoring_system": "epss", "scoring_elements": "0.80129", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01308", "scoring_system": "epss", "scoring_elements": "0.80155", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36021" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-13T15:48:42Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36021", "reference_id": "CVE-2021-36021", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36021" }, { "reference_url": "https://github.com/advisories/GHSA-4g27-q2w9-m8m8", "reference_id": "GHSA-4g27-q2w9-m8m8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4g27-q2w9-m8m8" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36021", "GHSA-4g27-q2w9-m8m8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-36ve-7wxt-z7fz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45421?format=api", "vulnerability_id": "VCID-3et4-3zad-1qfn", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29290", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00146", "scoring_system": "epss", "scoring_elements": "0.34826", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29290" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:39:03Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29290", "reference_id": "CVE-2023-29290", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29290" }, { "reference_url": "https://github.com/advisories/GHSA-qw5m-vmp3-f553", "reference_id": "GHSA-qw5m-vmp3-f553", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qw5m-vmp3-f553" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29290", "GHSA-qw5m-vmp3-f553" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3et4-3zad-1qfn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55685?format=api", "vulnerability_id": "VCID-3zcy-b3th-ukhd", "summary": "Magento Improper Access Control Leads to Privilege escalation\nAdobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39419", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46342", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39419" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:08:00Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39419", "reference_id": "CVE-2024-39419", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39419" }, { "reference_url": "https://github.com/advisories/GHSA-74w7-cr4v-wf2v", "reference_id": "GHSA-74w7-cr4v-wf2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-74w7-cr4v-wf2v" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39419", "GHSA-74w7-cr4v-wf2v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3zcy-b3th-ukhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112379?format=api", "vulnerability_id": "VCID-4cbe-djqs-tug1", "summary": "Magento is affected by an improper input validation vulnerability\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36032", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00646", "scoring_system": "epss", "scoring_elements": "0.71112", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00646", "scoring_system": "epss", "scoring_elements": "0.71155", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36032" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36032", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36032" }, { "reference_url": "https://github.com/advisories/GHSA-5vw8-r55w-f4q4", "reference_id": "GHSA-5vw8-r55w-f4q4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5vw8-r55w-f4q4" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36032", "GHSA-5vw8-r55w-f4q4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4cbe-djqs-tug1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57444?format=api", "vulnerability_id": "VCID-4dae-vty8-b7hk", "summary": "Magento Improper Access Control leads to security feature bypass\nAdobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited write access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27206", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00706", "scoring_system": "epss", "scoring_elements": "0.72543", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27206" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T18:08:33Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27206", "reference_id": "CVE-2025-27206", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27206" }, { "reference_url": "https://github.com/advisories/GHSA-g2pj-xmxq-3r9q", "reference_id": "GHSA-g2pj-xmxq-3r9q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g2pj-xmxq-3r9q" } ], "fixed_packages": [], "aliases": [ "CVE-2025-27206", "GHSA-g2pj-xmxq-3r9q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4dae-vty8-b7hk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111112?format=api", "vulnerability_id": "VCID-4dpj-5zh4-4fgv", "summary": "Magento command injection vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9576", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.031", "scoring_system": "epss", "scoring_elements": "0.87045", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.031", "scoring_system": "epss", "scoring_elements": "0.87067", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9576" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9576", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9576" }, { "reference_url": "https://github.com/advisories/GHSA-4f7x-gjqc-qqpg", "reference_id": "GHSA-4f7x-gjqc-qqpg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4f7x-gjqc-qqpg" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9576", "GHSA-4f7x-gjqc-qqpg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4dpj-5zh4-4fgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111541?format=api", "vulnerability_id": "VCID-4w1v-es9j-subp", "summary": "Magento XML Injection vulnerability in the 'City' field\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the 'City' field. An unauthenticated attacker can trigger a specially crafted script to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36020", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.31066", "scoring_system": "epss", "scoring_elements": "0.96838", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.31066", "scoring_system": "epss", "scoring_elements": "0.96843", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36020" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36020", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36020" }, { "reference_url": "https://github.com/advisories/GHSA-xvpx-6hh8-7h72", "reference_id": "GHSA-xvpx-6hh8-7h72", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xvpx-6hh8-7h72" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36020", "GHSA-xvpx-6hh8-7h72" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4w1v-es9j-subp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45407?format=api", "vulnerability_id": "VCID-525q-afzj-tkcp", "summary": "Magento Open Source affected by Improper Input Validation\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An admin privileged attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29293", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14219", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29293" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:13Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29293", "reference_id": "CVE-2023-29293", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L" }, { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29293" }, { "reference_url": "https://github.com/advisories/GHSA-66c9-xrwj-9xv6", "reference_id": "GHSA-66c9-xrwj-9xv6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-66c9-xrwj-9xv6" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29293", "GHSA-66c9-xrwj-9xv6" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-525q-afzj-tkcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55687?format=api", "vulnerability_id": "VCID-5gxr-xksz-5ydb", "summary": "Magento Improper Authorization leads to security feature bypass\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39411", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54196", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39411" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:11:14Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39411", "reference_id": "CVE-2024-39411", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39411" }, { "reference_url": "https://github.com/advisories/GHSA-qm77-mqf3-fmhq", "reference_id": "GHSA-qm77-mqf3-fmhq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qm77-mqf3-fmhq" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39411", "GHSA-qm77-mqf3-fmhq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5gxr-xksz-5ydb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111460?format=api", "vulnerability_id": "VCID-5ppd-jm8d-97eh", "summary": "Magento business logic error vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a business logic error vulnerability. Successful exploitation could lead to privilege escalation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9630", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00844", "scoring_system": "epss", "scoring_elements": "0.75132", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00844", "scoring_system": "epss", "scoring_elements": "0.75161", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9630" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9630", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9630" }, { "reference_url": "https://github.com/advisories/GHSA-5j4w-v87m-8r65", "reference_id": "GHSA-5j4w-v87m-8r65", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5j4w-v87m-8r65" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9630", "GHSA-5j4w-v87m-8r65" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5ppd-jm8d-97eh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108761?format=api", "vulnerability_id": "VCID-5wfa-wpby-dke1", "summary": "Magento Open Source allows Improper Access Control\nAdobe Commerce versions 2.4.3-p3 (and earlier), 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35689", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65783", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65836", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35689" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:05:52Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35689", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35689" }, { "reference_url": "https://github.com/advisories/GHSA-5fxx-jwjm-x9hj", "reference_id": "GHSA-5fxx-jwjm-x9hj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fxx-jwjm-x9hj" } ], "fixed_packages": [], "aliases": [ "CVE-2022-35689", "GHSA-5fxx-jwjm-x9hj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5wfa-wpby-dke1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111521?format=api", "vulnerability_id": "VCID-69wt-c418-mubr", "summary": "Magento Open Source allows Cross-Site Request Forgery (CSRF)\nAdobe Commerce versions 2.4.2-p2 (and earlier), 2.4.3 (and earlier) and 2.3.7p1 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via a Wishlist Share Link. Successful exploitation could lead to unauthorized addition to a customer's cart by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39864", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00997", "scoring_system": "epss", "scoring_elements": "0.77333", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00997", "scoring_system": "epss", "scoring_elements": "0.77304", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39864" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-86.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:10:33Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-86.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39864", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39864" }, { "reference_url": "https://github.com/advisories/GHSA-94wq-87g6-8h77", "reference_id": "GHSA-94wq-87g6-8h77", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-94wq-87g6-8h77" } ], "fixed_packages": [], "aliases": [ "CVE-2021-39864", "GHSA-94wq-87g6-8h77" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-69wt-c418-mubr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111409?format=api", "vulnerability_id": "VCID-6mjf-p1d9-8qa1", "summary": "Magento stored cross-site scripting vulnerability\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36027", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01528", "scoring_system": "epss", "scoring_elements": "0.81624", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01528", "scoring_system": "epss", "scoring_elements": "0.81654", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36027" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36027", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36027" }, { "reference_url": "https://github.com/advisories/GHSA-x2v2-2jhp-c5hv", "reference_id": "GHSA-x2v2-2jhp-c5hv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x2v2-2jhp-c5hv" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36027", "GHSA-x2v2-2jhp-c5hv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6mjf-p1d9-8qa1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57531?format=api", "vulnerability_id": "VCID-6p6q-ctya-q3bv", "summary": "Magento Authenticated Security feature bypass\nMagento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49549", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00514", "scoring_system": "epss", "scoring_elements": "0.66971", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49549" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-25T18:12:28Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49549", "reference_id": "CVE-2025-49549", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49549" }, { "reference_url": "https://github.com/advisories/GHSA-85jx-x9r4-45m2", "reference_id": "GHSA-85jx-x9r4-45m2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-85jx-x9r4-45m2" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49549", "GHSA-85jx-x9r4-45m2" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6p6q-ctya-q3bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55695?format=api", "vulnerability_id": "VCID-6t9w-cnkz-s3c3", "summary": "Magento DOM-based Cross-Site Scripting (XSS) vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an admin attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. Exploitation of this issue requires user interaction, such as convincing a victim to click on a malicious link. Confidentiality and integrity impact is high as it affects other admin accounts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39400", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01472", "scoring_system": "epss", "scoring_elements": "0.81307", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39400" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:12:38Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39400", "reference_id": "CVE-2024-39400", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39400" }, { "reference_url": "https://github.com/advisories/GHSA-52fg-wjxm-pp44", "reference_id": "GHSA-52fg-wjxm-pp44", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-52fg-wjxm-pp44" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39400", "GHSA-52fg-wjxm-pp44" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6t9w-cnkz-s3c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56639?format=api", "vulnerability_id": "VCID-6tx4-wexr-fkbb", "summary": "Magento Improper Access Control vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain elevated privileges. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24437", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35712", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24437" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:48:35Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24437", "reference_id": "CVE-2025-24437", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24437" }, { "reference_url": "https://github.com/advisories/GHSA-469f-wf4f-3jjv", "reference_id": "GHSA-469f-wf4f-3jjv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-469f-wf4f-3jjv" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24437", "GHSA-469f-wf4f-3jjv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6tx4-wexr-fkbb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112057?format=api", "vulnerability_id": "VCID-6wdt-8fbe-hkbe", "summary": "Magento Improper Authorization vulnerability in the customers module\nMagento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are vulnerable to an Improper Authorization vulnerability in the customers module. Successful exploitation could allow a low-privileged user to modify customer data. Access to the admin console is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28567", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27852", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27786", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28567" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28567", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28567" }, { "reference_url": "https://github.com/advisories/GHSA-cc3w-r3w8-hfh7", "reference_id": "GHSA-cc3w-r3w8-hfh7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cc3w-r3w8-hfh7" } ], "fixed_packages": [], "aliases": [ "CVE-2021-28567", "GHSA-cc3w-r3w8-hfh7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6wdt-8fbe-hkbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111962?format=api", "vulnerability_id": "VCID-6x2s-f7fh-4yac", "summary": "Magento stored cross-site scripting vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9581", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00319", "scoring_system": "epss", "scoring_elements": "0.55278", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00319", "scoring_system": "epss", "scoring_elements": "0.55335", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9581" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9581", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9581" }, { "reference_url": "https://github.com/advisories/GHSA-2w2x-7qgj-4x78", "reference_id": "GHSA-2w2x-7qgj-4x78", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2w2x-7qgj-4x78" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9581", "GHSA-2w2x-7qgj-4x78" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6x2s-f7fh-4yac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55682?format=api", "vulnerability_id": "VCID-7hrm-jtbx-sqgm", "summary": "Magento OS Command ('OS Command Injection') vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39402", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0264", "scoring_system": "epss", "scoring_elements": "0.86017", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39402" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:12:09Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39402", "reference_id": "CVE-2024-39402", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39402" }, { "reference_url": "https://github.com/advisories/GHSA-2ff6-837j-hg5x", "reference_id": "GHSA-2ff6-837j-hg5x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2ff6-837j-hg5x" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39402", "GHSA-2ff6-837j-hg5x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7hrm-jtbx-sqgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56638?format=api", "vulnerability_id": "VCID-7s74-rdkp-vyaf", "summary": "Magento Incorrect Authorization vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to perform actions with permissions that were not granted. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24421", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35372", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24421" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:49:01Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24421", "reference_id": "CVE-2025-24421", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24421" }, { "reference_url": "https://github.com/advisories/GHSA-v6r2-425c-hfrr", "reference_id": "GHSA-v6r2-425c-hfrr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v6r2-425c-hfrr" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24421", "GHSA-v6r2-425c-hfrr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7s74-rdkp-vyaf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45404?format=api", "vulnerability_id": "VCID-7s7e-adr6-h3dc", "summary": "Magento Open Source allows Information Exposure\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Information Exposure vulnerability that could lead to a security feature bypass. An attacker could leverage this vulnerability to leak minor user data. Exploitation of this issue does not require user interaction..", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29287", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54316", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29287" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:39:07Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29287", "reference_id": "CVE-2023-29287", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29287" }, { "reference_url": "https://github.com/advisories/GHSA-85m4-g9vq-xpxj", "reference_id": "GHSA-85m4-g9vq-xpxj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-85m4-g9vq-xpxj" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29287", "GHSA-85m4-g9vq-xpxj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7s7e-adr6-h3dc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111051?format=api", "vulnerability_id": "VCID-8ape-agd1-s7hf", "summary": "Magento Improper Access Control\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an access control bypass vulnerability in the Login as Customer module. Successful exploitation could lead to unauthorized access to restricted resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21020", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00111", "scoring_system": "epss", "scoring_elements": "0.29099", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00111", "scoring_system": "epss", "scoring_elements": "0.29169", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21020" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21020", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21020" }, { "reference_url": "https://github.com/advisories/GHSA-2j6v-829g-885q", "reference_id": "GHSA-2j6v-829g-885q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2j6v-829g-885q" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21020", "GHSA-2j6v-829g-885q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8ape-agd1-s7hf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56636?format=api", "vulnerability_id": "VCID-8hx4-r8bb-n7ge", "summary": "Magento stored Cross-Site Scripting (XSS) vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24428", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0102", "scoring_system": "epss", "scoring_elements": "0.77594", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24428" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:49:10Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24428", "reference_id": "CVE-2025-24428", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24428" }, { "reference_url": "https://github.com/advisories/GHSA-mm87-rrqx-94cr", "reference_id": "GHSA-mm87-rrqx-94cr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mm87-rrqx-94cr" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24428", "GHSA-mm87-rrqx-94cr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8hx4-r8bb-n7ge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56625?format=api", "vulnerability_id": "VCID-8ky6-w2nk-9bds", "summary": "Magento Improper Access Control vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24411", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.28955", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24411" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:40Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24411", "reference_id": "CVE-2025-24411", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24411" }, { "reference_url": "https://github.com/advisories/GHSA-36hw-x3cc-m258", "reference_id": "GHSA-36hw-x3cc-m258", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-36hw-x3cc-m258" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24411", "GHSA-36hw-x3cc-m258" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8ky6-w2nk-9bds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55679?format=api", "vulnerability_id": "VCID-8msu-s38a-p7e3", "summary": "Magento Path Traversal vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. A low-privileged attacker could exploit this vulnerability to gain access to files and directories that are outside the restricted directory. Exploitation of this issue does not require user interaction and scope is changed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39399", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00842", "scoring_system": "epss", "scoring_elements": "0.7513", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39399" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-14T14:09:03Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39399", "reference_id": "CVE-2024-39399", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39399" }, { "reference_url": "https://github.com/advisories/GHSA-7r99-8wqp-h7pc", "reference_id": "GHSA-7r99-8wqp-h7pc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7r99-8wqp-h7pc" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39399", "GHSA-7r99-8wqp-h7pc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8msu-s38a-p7e3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57107?format=api", "vulnerability_id": "VCID-8shb-t5zp-rqbu", "summary": "Magento Improper Access Control leads to Security feature bypass\nMagento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27190", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50333", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27190" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-26.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T20:53:02Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-26.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27190", "reference_id": "CVE-2025-27190", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27190" }, { "reference_url": "https://github.com/advisories/GHSA-6wq7-cg9h-mj6q", "reference_id": "GHSA-6wq7-cg9h-mj6q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6wq7-cg9h-mj6q" } ], "fixed_packages": [], "aliases": [ "CVE-2025-27190", "GHSA-6wq7-cg9h-mj6q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8shb-t5zp-rqbu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111210?format=api", "vulnerability_id": "VCID-8u5e-d6nx-3khc", "summary": "Magento Path Traversal vulnerability via the `theme[preview_image]` parameter\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a Path Traversal vulnerability via the `theme[preview_image]` parameter. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36031", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.1031", "scoring_system": "epss", "scoring_elements": "0.93313", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.1031", "scoring_system": "epss", "scoring_elements": "0.93325", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36031" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36031", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36031" }, { "reference_url": "https://github.com/advisories/GHSA-7w95-qwhh-q9p3", "reference_id": "GHSA-7w95-qwhh-q9p3", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7w95-qwhh-q9p3" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36031", "GHSA-7w95-qwhh-q9p3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8u5e-d6nx-3khc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111082?format=api", "vulnerability_id": "VCID-92tv-nghv-mqf2", "summary": "Magento DOM-based Cross-site scripting vulnerability\nMagento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a dom-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9691", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02798", "scoring_system": "epss", "scoring_elements": "0.86379", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02798", "scoring_system": "epss", "scoring_elements": "0.86402", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9691" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/9436781734e47c83e96977fa770d255217680d5e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/9436781734e47c83e96977fa770d255217680d5e" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9691", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9691" }, { "reference_url": "https://github.com/advisories/GHSA-g7pc-799q-743f", "reference_id": "GHSA-g7pc-799q-743f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g7pc-799q-743f" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9691", "GHSA-g7pc-799q-743f" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-92tv-nghv-mqf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55694?format=api", "vulnerability_id": "VCID-9cc9-npdc-8bac", "summary": "Magento Stored Cross-Site Scripting (XSS) vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality impact is high due to the attacker being able to exfiltrate sensitive information.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39403", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02812", "scoring_system": "epss", "scoring_elements": "0.86429", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39403" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:08:14Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39403", "reference_id": "CVE-2024-39403", "reference_type": "", "scores": [ { "value": "7.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39403" }, { "reference_url": "https://github.com/advisories/GHSA-mmp7-8cg4-9wrg", "reference_id": "GHSA-mmp7-8cg4-9wrg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmp7-8cg4-9wrg" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39403", "GHSA-mmp7-8cg4-9wrg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9cc9-npdc-8bac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55677?format=api", "vulnerability_id": "VCID-9vrt-uccb-myev", "summary": "Magento Improper Authorization Leading to Security feature bypass\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39415", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54196", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39415" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:13:06Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39415", "reference_id": "CVE-2024-39415", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39415" }, { "reference_url": "https://github.com/advisories/GHSA-gj93-84g5-mcjq", "reference_id": "GHSA-gj93-84g5-mcjq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj93-84g5-mcjq" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39415", "GHSA-gj93-84g5-mcjq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9vrt-uccb-myev" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55675?format=api", "vulnerability_id": "VCID-a8gs-ervm-e3hm", "summary": "Magento Improper Authorization vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39407", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00243", "scoring_system": "epss", "scoring_elements": "0.47829", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39407" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:10:04Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39407", "reference_id": "CVE-2024-39407", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39407" }, { "reference_url": "https://github.com/advisories/GHSA-cjm6-8mw8-2f8c", "reference_id": "GHSA-cjm6-8mw8-2f8c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cjm6-8mw8-2f8c" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39407", "GHSA-cjm6-8mw8-2f8c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8gs-ervm-e3hm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56631?format=api", "vulnerability_id": "VCID-a9b6-tenb-afdw", "summary": "Magento Stored Cross-Site Scripting (XSS) Vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24416", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01321", "scoring_system": "epss", "scoring_elements": "0.80247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24416" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:48Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24416", "reference_id": "CVE-2025-24416", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24416" }, { "reference_url": "https://github.com/advisories/GHSA-rjjw-g6hw-7pc9", "reference_id": "GHSA-rjjw-g6hw-7pc9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rjjw-g6hw-7pc9" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24416", "GHSA-rjjw-g6hw-7pc9" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a9b6-tenb-afdw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55691?format=api", "vulnerability_id": "VCID-agtm-nkhp-dkdn", "summary": "Magento does not properly restrict excessive authentication attempts\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute force attacks and potentially gain unauthorized access to accounts. Exploitation of this issue does not require user interaction, but attack complexity is high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39398", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.4705", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39398" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:10:17Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39398", "reference_id": "CVE-2024-39398", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39398" }, { "reference_url": "https://github.com/advisories/GHSA-q628-54wg-4r5q", "reference_id": "GHSA-q628-54wg-4r5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q628-54wg-4r5q" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39398", "GHSA-q628-54wg-4r5q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-agtm-nkhp-dkdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111197?format=api", "vulnerability_id": "VCID-apue-gaqy-n3cq", "summary": "Magento 2 Community Edition Incorrect Authorization\nMagento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect authorization vulnerability. A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24401", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.52037", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00284", "scoring_system": "epss", "scoring_elements": "0.52097", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24401" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24401", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24401" }, { "reference_url": "https://github.com/advisories/GHSA-f2g3-3c6q-4478", "reference_id": "GHSA-f2g3-3c6q-4478", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f2g3-3c6q-4478" } ], "fixed_packages": [], "aliases": [ "CVE-2020-24401", "GHSA-f2g3-3c6q-4478" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-apue-gaqy-n3cq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45411?format=api", "vulnerability_id": "VCID-az2w-5xhy-5fe4", "summary": "Magento Open Source allows Improper Neutralization of Special Elements Used\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29297", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08749", "scoring_system": "epss", "scoring_elements": "0.92665", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29297" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-05T18:37:01Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29297", "reference_id": "CVE-2023-29297", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29297" }, { "reference_url": "https://github.com/advisories/GHSA-gfmm-ww6f-5mm5", "reference_id": "GHSA-gfmm-ww6f-5mm5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gfmm-ww6f-5mm5" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29297", "GHSA-gfmm-ww6f-5mm5" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-az2w-5xhy-5fe4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56637?format=api", "vulnerability_id": "VCID-b3cn-pjp3-4yhm", "summary": "Magento Business Logic Error vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Business Logic Error vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to circumvent intended security mechanisms by manipulating the logic of the application's operations causing limited data modification. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24425", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00245", "scoring_system": "epss", "scoring_elements": "0.48014", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24425" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:51:39Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24425", "reference_id": "CVE-2025-24425", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24425" }, { "reference_url": "https://github.com/advisories/GHSA-6ff8-jrfg-43hh", "reference_id": "GHSA-6ff8-jrfg-43hh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6ff8-jrfg-43hh" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24425", "GHSA-6ff8-jrfg-43hh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3cn-pjp3-4yhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47458?format=api", "vulnerability_id": "VCID-b4jg-dj1a-9qd5", "summary": "Magento Open Source allows Cross-Site Scripting (XSS)\nAdobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Confidentiality and integrity are considered high due to having admin impact.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20759", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01627", "scoring_system": "epss", "scoring_elements": "0.82238", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20759" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-11T04:01:07Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20759", "reference_id": "CVE-2024-20759", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "6.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20759" }, { "reference_url": "https://github.com/advisories/GHSA-59vf-hjxc-f9c5", "reference_id": "GHSA-59vf-hjxc-f9c5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-59vf-hjxc-f9c5" } ], "fixed_packages": [], "aliases": [ "CVE-2024-20759", "GHSA-59vf-hjxc-f9c5" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b4jg-dj1a-9qd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45954?format=api", "vulnerability_id": "VCID-b5hn-f1qk-z7cu", "summary": "Magento improper access control vulnerability within Magento's Media Gallery Upload workflow\nMagento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36036", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01566", "scoring_system": "epss", "scoring_elements": "0.81845", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01566", "scoring_system": "epss", "scoring_elements": "0.81879", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36036" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:52:37Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36036", "reference_id": "CVE-2021-36036", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36036" }, { "reference_url": "https://github.com/advisories/GHSA-wqr6-wv6c-p8fx", "reference_id": "GHSA-wqr6-wv6c-p8fx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wqr6-wv6c-p8fx" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36036", "GHSA-wqr6-wv6c-p8fx" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b5hn-f1qk-z7cu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55686?format=api", "vulnerability_id": "VCID-b9ry-u6qy-j7cc", "summary": "Magento Improper Authorization leads to Security feature bypass\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54196", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39417" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:09:31Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39417", "reference_id": "CVE-2024-39417", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39417" }, { "reference_url": "https://github.com/advisories/GHSA-4xmj-f664-hv98", "reference_id": "GHSA-4xmj-f664-hv98", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4xmj-f664-hv98" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39417", "GHSA-4xmj-f664-hv98" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b9ry-u6qy-j7cc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111727?format=api", "vulnerability_id": "VCID-c1ta-jffg-cfg9", "summary": "Magento XML Injection vulnerability in the Widgets Update Layout\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36022", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.11326", "scoring_system": "epss", "scoring_elements": "0.93679", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.11326", "scoring_system": "epss", "scoring_elements": "0.93688", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36022" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36022", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36022" }, { "reference_url": "https://github.com/advisories/GHSA-3x9x-vhqj-cv27", "reference_id": "GHSA-3x9x-vhqj-cv27", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3x9x-vhqj-cv27" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36022", "GHSA-3x9x-vhqj-cv27" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1ta-jffg-cfg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111467?format=api", "vulnerability_id": "VCID-c4mx-9727-nfgs", "summary": "Magento stored cross-site scripting (XSS) in the customer address upload feature\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting (XSS) in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21030", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.06281", "scoring_system": "epss", "scoring_elements": "0.9109", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.06281", "scoring_system": "epss", "scoring_elements": "0.91103", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21030" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21030", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21030" }, { "reference_url": "https://github.com/advisories/GHSA-6988-g89m-27vf", "reference_id": "GHSA-6988-g89m-27vf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6988-g89m-27vf" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21030", "GHSA-6988-g89m-27vf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c4mx-9727-nfgs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111502?format=api", "vulnerability_id": "VCID-cae3-fgn1-83hu", "summary": "Magento incorrect permissions vulnerability in the Integrations component\nMagento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24402", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40758", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40836", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24402" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24402", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24402" }, { "reference_url": "https://github.com/advisories/GHSA-hvf5-4jr9-fghh", "reference_id": "GHSA-hvf5-4jr9-fghh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hvf5-4jr9-fghh" } ], "fixed_packages": [], "aliases": [ "CVE-2020-24402", "GHSA-hvf5-4jr9-fghh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cae3-fgn1-83hu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48026?format=api", "vulnerability_id": "VCID-cafy-5dd8-rudj", "summary": "Magento allows incorrect authorization\nMagento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54265", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29548", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54265" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T20:35:42Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54265", "reference_id": "CVE-2025-54265", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54265" }, { "reference_url": "https://github.com/advisories/GHSA-r355-75hw-r8jf", "reference_id": "GHSA-r355-75hw-r8jf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r355-75hw-r8jf" } ], "fixed_packages": [], "aliases": [ "CVE-2025-54265", "GHSA-r355-75hw-r8jf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cafy-5dd8-rudj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55699?format=api", "vulnerability_id": "VCID-cc8x-6es1-8kc5", "summary": "Magento Improper Authorization vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39413", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00306", "scoring_system": "epss", "scoring_elements": "0.54196", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39413" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:08:47Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39413", "reference_id": "CVE-2024-39413", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39413" }, { "reference_url": "https://github.com/advisories/GHSA-8w5f-8992-g86j", "reference_id": "GHSA-8w5f-8992-g86j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8w5f-8992-g86j" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39413", "GHSA-8w5f-8992-g86j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cc8x-6es1-8kc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58128?format=api", "vulnerability_id": "VCID-ccx1-qacj-2qev", "summary": "Magento Community Edition Improper Input Validation vulnerability\nAdobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54236", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.72152", "scoring_system": "epss", "scoring_elements": "0.98771", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54236" }, { "reference_url": "https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-88.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-10-24T14:08:30Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-88.html" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54236" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54236", "reference_id": "CVE-2025-54236", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54236" }, { "reference_url": "https://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magento", "reference_id": "CVE-2025-54236-SESSIONREAPER-UNAUTHENTICATED-RCE-IN-MAGENTO", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nullsecurityx.codes/cve-2025-54236-sessionreaper-unauthenticated-rce-in-magento" }, { "reference_url": "https://github.com/advisories/GHSA-wh92-6q6g-px7j", "reference_id": "GHSA-wh92-6q6g-px7j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wh92-6q6g-px7j" } ], "fixed_packages": [], "aliases": [ "CVE-2025-54236", "GHSA-wh92-6q6g-px7j" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ccx1-qacj-2qev" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111557?format=api", "vulnerability_id": "VCID-cfjt-51xj-qqdw", "summary": "Magento is affected by an improper input validation vulnerability while saving a customer's details\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability while saving a customer's details with a specially crafted file. An authenticated attacker with admin privileges can leverage this vulnerability to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36025", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05476", "scoring_system": "epss", "scoring_elements": "0.90365", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.05476", "scoring_system": "epss", "scoring_elements": "0.9038", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36025" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36025", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36025" }, { "reference_url": "https://github.com/advisories/GHSA-gvfx-9m9v-h839", "reference_id": "GHSA-gvfx-9m9v-h839", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gvfx-9m9v-h839" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36025", "GHSA-gvfx-9m9v-h839" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cfjt-51xj-qqdw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45803?format=api", "vulnerability_id": "VCID-cgwk-hn4t-n7c1", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Incorrect Authorization vulnerability that could lead to a Security feature bypass. A low-privileged attacker could leverage this vulnerability to access other user's data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38209", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00202", "scoring_system": "epss", "scoring_elements": "0.42211", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38209" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:38Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38209", "reference_id": "CVE-2023-38209", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38209" }, { "reference_url": "https://github.com/advisories/GHSA-3vg2-v639-6ch9", "reference_id": "GHSA-3vg2-v639-6ch9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3vg2-v639-6ch9" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38209", "GHSA-3vg2-v639-6ch9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cgwk-hn4t-n7c1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57822?format=api", "vulnerability_id": "VCID-cm2a-1yc5-v3cy", "summary": "Magento has incorrect authorization issue that leads to arbitrary file system read\nMagento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49556", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50269", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49556" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-13T14:18:25Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49556", "reference_id": "CVE-2025-49556", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49556" }, { "reference_url": "https://github.com/advisories/GHSA-7hrj-3c9x-xv5h", "reference_id": "GHSA-7hrj-3c9x-xv5h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7hrj-3c9x-xv5h" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49556", "GHSA-7hrj-3c9x-xv5h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cm2a-1yc5-v3cy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55689?format=api", "vulnerability_id": "VCID-cqjn-3z6n-sff1", "summary": "Magento Improper Authorization leads to Security feature bypass\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39416", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0032", "scoring_system": "epss", "scoring_elements": "0.55365", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39416" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:11:27Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39416", "reference_id": "CVE-2024-39416", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39416" }, { "reference_url": "https://github.com/advisories/GHSA-4xgg-rw35-7mv5", "reference_id": "GHSA-4xgg-rw35-7mv5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4xgg-rw35-7mv5" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39416", "GHSA-4xgg-rw35-7mv5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cqjn-3z6n-sff1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44758?format=api", "vulnerability_id": "VCID-d2ab-j8bf-e7dx", "summary": "Magento Open Source allows XML Injection\nAdobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22247", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04774", "scoring_system": "epss", "scoring_elements": "0.89643", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.04774", "scoring_system": "epss", "scoring_elements": "0.8966", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22247" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:39:24Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22247", "reference_id": "CVE-2023-22247", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22247" }, { "reference_url": "https://github.com/advisories/GHSA-2444-8gj8-6fmx", "reference_id": "GHSA-2444-8gj8-6fmx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2444-8gj8-6fmx" } ], "fixed_packages": [], "aliases": [ "CVE-2023-22247", "GHSA-2444-8gj8-6fmx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d2ab-j8bf-e7dx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56643?format=api", "vulnerability_id": "VCID-d6mk-hg8h-7qbc", "summary": "Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing security mechanisms. Exploitation of this issue requires user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24432", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27789", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24432" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T19:09:50Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24432", "reference_id": "CVE-2025-24432", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24432" }, { "reference_url": "https://github.com/advisories/GHSA-7jmr-43qj-pw47", "reference_id": "GHSA-7jmr-43qj-pw47", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7jmr-43qj-pw47" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24432", "GHSA-7jmr-43qj-pw47" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d6mk-hg8h-7qbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48032?format=api", "vulnerability_id": "VCID-dj5a-35gt-u7dn", "summary": "Magento vulnerable to privilege escalation due to incorrect authorization\nMagento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to elevated privileges that increase integrity impact to high. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54267", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00065", "scoring_system": "epss", "scoring_elements": "0.20523", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54267" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-16T03:56:04Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54267", "reference_id": "CVE-2025-54267", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54267" }, { "reference_url": "https://github.com/advisories/GHSA-qvwr-p3hj-j6jf", "reference_id": "GHSA-qvwr-p3hj-j6jf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qvwr-p3hj-j6jf" } ], "fixed_packages": [], "aliases": [ "CVE-2025-54267", "GHSA-qvwr-p3hj-j6jf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dj5a-35gt-u7dn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55684?format=api", "vulnerability_id": "VCID-dpgz-dacm-sqg6", "summary": "Magento Improper Authorization vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures to view and edit low-sensitivity information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39418", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.56106", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39418" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:08:28Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39418", "reference_id": "CVE-2024-39418", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39418" }, { "reference_url": "https://github.com/advisories/GHSA-gvgf-pvh5-vjh4", "reference_id": "GHSA-gvgf-pvh5-vjh4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gvgf-pvh5-vjh4" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39418", "GHSA-gvgf-pvh5-vjh4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dpgz-dacm-sqg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45413?format=api", "vulnerability_id": "VCID-dx43-89w9-a7dg", "summary": "Magento Open Source allows Server-Side Request Forgery (SSRF)\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29292", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00469", "scoring_system": "epss", "scoring_elements": "0.64946", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29292" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:16Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29292", "reference_id": "CVE-2023-29292", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29292" }, { "reference_url": "https://github.com/advisories/GHSA-4588-7x48-jrgj", "reference_id": "GHSA-4588-7x48-jrgj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4588-7x48-jrgj" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29292", "GHSA-4588-7x48-jrgj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dx43-89w9-a7dg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55681?format=api", "vulnerability_id": "VCID-e9zx-zy9y-2fcp", "summary": "Magento OS Command ('OS Command Injection') vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an admin attacker. Exploitation of this issue requires user interaction and scope is changed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39401", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0264", "scoring_system": "epss", "scoring_elements": "0.86017", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39401" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:10:32Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39401", "reference_id": "CVE-2024-39401", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39401" }, { "reference_url": "https://github.com/advisories/GHSA-8frp-pxq2-3gpq", "reference_id": "GHSA-8frp-pxq2-3gpq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8frp-pxq2-3gpq" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39401", "GHSA-8frp-pxq2-3gpq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e9zx-zy9y-2fcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112485?format=api", "vulnerability_id": "VCID-ed87-d3y2-wfck", "summary": "Magento improper authorization vulnerability in the integrations module\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21026", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00679", "scoring_system": "epss", "scoring_elements": "0.72008", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00679", "scoring_system": "epss", "scoring_elements": "0.71969", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21026" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497" }, { "reference_url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21026", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21026" }, { "reference_url": "https://github.com/advisories/GHSA-crjc-2v9m-8w7r", "reference_id": "GHSA-crjc-2v9m-8w7r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-crjc-2v9m-8w7r" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21026", "GHSA-crjc-2v9m-8w7r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ed87-d3y2-wfck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57095?format=api", "vulnerability_id": "VCID-egy6-nku7-zyap", "summary": "Magento Improper Access Control leads to Security feature bypass\nMagento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27191", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50333", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27191" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-26.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T20:53:08Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-26.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27191", "reference_id": "CVE-2025-27191", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27191" }, { "reference_url": "https://github.com/advisories/GHSA-vhcq-4xrm-2cr2", "reference_id": "GHSA-vhcq-4xrm-2cr2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vhcq-4xrm-2cr2" } ], "fixed_packages": [], "aliases": [ "CVE-2025-27191", "GHSA-vhcq-4xrm-2cr2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-egy6-nku7-zyap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111366?format=api", "vulnerability_id": "VCID-er49-k3tc-ufcu", "summary": "Magento allows attackers to alter the price of items\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability during the checkout process. An unauthenticated attacker can leverage this vulnerability to alter the price of items.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36030", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01428", "scoring_system": "epss", "scoring_elements": "0.80981", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01428", "scoring_system": "epss", "scoring_elements": "0.8101", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36030" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36030", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36030" }, { "reference_url": "https://github.com/advisories/GHSA-rhff-65hp-55rw", "reference_id": "GHSA-rhff-65hp-55rw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rhff-65hp-55rw" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36030", "GHSA-rhff-65hp-55rw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-er49-k3tc-ufcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57814?format=api", "vulnerability_id": "VCID-eygc-ra9u-gyej", "summary": "Magento Cross-Site Request Forgery (CSRF) vulnerability\nMagento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially allowing unauthorized access or modification of sensitive data. Exploitation of this issue requires user interaction in that a victim must visit a malicious website or click on a crafted link. Scope is changed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49555", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00112", "scoring_system": "epss", "scoring_elements": "0.2931", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49555" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-13T15:04:10Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49555", "reference_id": "CVE-2025-49555", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49555" }, { "reference_url": "https://github.com/advisories/GHSA-5777-jj7p-mpqw", "reference_id": "GHSA-5777-jj7p-mpqw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5777-jj7p-mpqw" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49555", "GHSA-5777-jj7p-mpqw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eygc-ra9u-gyej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112124?format=api", "vulnerability_id": "VCID-f5ef-53gt-nbcu", "summary": "Magento command injection vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9583", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.031", "scoring_system": "epss", "scoring_elements": "0.87045", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.031", "scoring_system": "epss", "scoring_elements": "0.87067", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9583" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9583", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9583" }, { "reference_url": "https://github.com/advisories/GHSA-c55h-7q4j-g6rq", "reference_id": "GHSA-c55h-7q4j-g6rq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c55h-7q4j-g6rq" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9583", "GHSA-c55h-7q4j-g6rq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f5ef-53gt-nbcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/109931?format=api", "vulnerability_id": "VCID-fyh6-gupt-eqgm", "summary": "Magento Open Source has Improper Access Control vulnerability\nAdobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to leak minor information of another user's account details. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35692", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.6696", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.6692", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35692" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:06:14Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb22-38.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35692", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35692" }, { "reference_url": "https://github.com/advisories/GHSA-gm4m-9rm8-7rxj", "reference_id": "GHSA-gm4m-9rm8-7rxj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gm4m-9rm8-7rxj" } ], "fixed_packages": [], "aliases": [ "CVE-2022-35692", "GHSA-gm4m-9rm8-7rxj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fyh6-gupt-eqgm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56628?format=api", "vulnerability_id": "VCID-fz5y-um7w-63f4", "summary": "Magento Stored Cross-Site Scripting (XSS) Vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24410", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01784", "scoring_system": "epss", "scoring_elements": "0.831", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24410" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:38Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24410", "reference_id": "CVE-2025-24410", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24410" }, { "reference_url": "https://github.com/advisories/GHSA-gjxp-46rq-wg4q", "reference_id": "GHSA-gjxp-46rq-wg4q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gjxp-46rq-wg4q" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24410", "GHSA-gjxp-46rq-wg4q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fz5y-um7w-63f4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111945?format=api", "vulnerability_id": "VCID-fz6y-fece-skgr", "summary": "Magento has a file extension restrictions bypass\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to bypass file extension restrictions and could lead to remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36040", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03446", "scoring_system": "epss", "scoring_elements": "0.87714", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03446", "scoring_system": "epss", "scoring_elements": "0.87735", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36040" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36040", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36040" }, { "reference_url": "https://github.com/advisories/GHSA-2pq5-gpqf-g4r3", "reference_id": "GHSA-2pq5-gpqf-g4r3", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2pq5-gpqf-g4r3" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36040", "GHSA-2pq5-gpqf-g4r3" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fz6y-fece-skgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45408?format=api", "vulnerability_id": "VCID-fzam-yuyg-qyd5", "summary": "Magento Open Source allows XML Injection\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an XML Injection vulnerability. An attacker with low privileges can trigger a specially crafted script to a security feature bypass. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29289", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00357", "scoring_system": "epss", "scoring_elements": "0.58314", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29289" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:23Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29289", "reference_id": "CVE-2023-29289", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29289" }, { "reference_url": "https://github.com/advisories/GHSA-wh42-8r2w-873x", "reference_id": "GHSA-wh42-8r2w-873x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wh42-8r2w-873x" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29289", "GHSA-wh42-8r2w-873x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fzam-yuyg-qyd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57819?format=api", "vulnerability_id": "VCID-fzm9-e6bg-r7aw", "summary": "Magento Cross-site Scripting vulnerability\nAdobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49557", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00082", "scoring_system": "epss", "scoring_elements": "0.24233", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49557" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-13T15:04:12Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49557", "reference_id": "CVE-2025-49557", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49557" }, { "reference_url": "https://github.com/advisories/GHSA-8mq8-c243-2335", "reference_id": "GHSA-8mq8-c243-2335", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8mq8-c243-2335" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49557", "GHSA-8mq8-c243-2335" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fzm9-e6bg-r7aw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56647?format=api", "vulnerability_id": "VCID-gedj-39p5-ubd6", "summary": "Magento Stored Cross-Site Scripting (XSS) Vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24413", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01321", "scoring_system": "epss", "scoring_elements": "0.80247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24413" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:44Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24413", "reference_id": "CVE-2025-24413", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24413" }, { "reference_url": "https://github.com/advisories/GHSA-xwgx-8v72-4j5j", "reference_id": "GHSA-xwgx-8v72-4j5j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xwgx-8v72-4j5j" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24413", "GHSA-xwgx-8v72-4j5j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gedj-39p5-ubd6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111965?format=api", "vulnerability_id": "VCID-gm81-x6qm-xbat", "summary": "Magento 2 Community Edition RCE Vulnerability\nA remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload.\n\nAs per [the Magento Release 2.3.3](https://web.archive.org/web/20201126132230/https://devdocs.magento.com/guides/v2.3/release-notes/release-notes-2-3-3-commerce.html#new-security-only-patch-available), if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-8114", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01199", "scoring_system": "epss", "scoring_elements": "0.79258", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01199", "scoring_system": "epss", "scoring_elements": "0.79232", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-8114" }, { "reference_url": "https://devdocs-openmage.org/guides/m1x//ce19-ee114/ee1.14_release-notes.html#ee114-11443", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://devdocs-openmage.org/guides/m1x//ce19-ee114/ee1.14_release-notes.html#ee114-11443" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-8114.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-8114.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-8114.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-8114.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8114.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8114.yaml" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8114", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8114" }, { "reference_url": "https://web.archive.org/web/20211209030216/https://magento.com/security/patches/supee-11219", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20211209030216/https://magento.com/security/patches/supee-11219" }, { "reference_url": "https://github.com/advisories/GHSA-crv7-r357-gw3w", "reference_id": "GHSA-crv7-r357-gw3w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-crv7-r357-gw3w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/154434?format=api", "purl": "pkg:composer/magento/project-community-edition@1.9.4%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/project-community-edition@1.9.4%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/580560?format=api", "purl": "pkg:composer/magento/project-community-edition@2.0.0-rc", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1b6m-qfes-mqab" }, { "vulnerability": "VCID-1jsp-392b-2fgb" }, { "vulnerability": "VCID-1vw9-9rmg-ekdz" }, { "vulnerability": "VCID-2fd4-t2w2-8uhd" }, { "vulnerability": "VCID-2g87-y8ek-xfdr" }, { "vulnerability": "VCID-2h52-3pt6-dfcw" }, { "vulnerability": "VCID-2ttz-k7d2-jucf" }, { "vulnerability": "VCID-2vsw-t8k2-4bfm" }, { "vulnerability": "VCID-36ve-7wxt-z7fz" }, { "vulnerability": "VCID-3et4-3zad-1qfn" }, { "vulnerability": "VCID-3zcy-b3th-ukhd" }, { "vulnerability": "VCID-4cbe-djqs-tug1" }, { "vulnerability": "VCID-4dae-vty8-b7hk" }, { "vulnerability": "VCID-4dpj-5zh4-4fgv" }, { "vulnerability": "VCID-4w1v-es9j-subp" }, { "vulnerability": "VCID-525q-afzj-tkcp" }, { "vulnerability": "VCID-5gxr-xksz-5ydb" }, { "vulnerability": "VCID-5ppd-jm8d-97eh" }, { "vulnerability": "VCID-5wfa-wpby-dke1" }, { "vulnerability": "VCID-69wt-c418-mubr" }, { "vulnerability": "VCID-6mjf-p1d9-8qa1" }, { "vulnerability": "VCID-6p6q-ctya-q3bv" }, { "vulnerability": "VCID-6t9w-cnkz-s3c3" }, { "vulnerability": "VCID-6tx4-wexr-fkbb" }, { "vulnerability": "VCID-6wdt-8fbe-hkbe" }, { "vulnerability": "VCID-6x2s-f7fh-4yac" }, { "vulnerability": "VCID-7hrm-jtbx-sqgm" }, { "vulnerability": "VCID-7s74-rdkp-vyaf" }, { "vulnerability": "VCID-7s7e-adr6-h3dc" }, { "vulnerability": "VCID-8ape-agd1-s7hf" }, { "vulnerability": "VCID-8hx4-r8bb-n7ge" }, { "vulnerability": "VCID-8ky6-w2nk-9bds" }, { "vulnerability": "VCID-8msu-s38a-p7e3" }, { "vulnerability": "VCID-8shb-t5zp-rqbu" }, { "vulnerability": "VCID-8u5e-d6nx-3khc" }, { "vulnerability": "VCID-92tv-nghv-mqf2" }, { "vulnerability": "VCID-9cc9-npdc-8bac" }, { "vulnerability": "VCID-9vrt-uccb-myev" }, { "vulnerability": "VCID-a8gs-ervm-e3hm" }, { "vulnerability": "VCID-a9b6-tenb-afdw" }, { "vulnerability": "VCID-agtm-nkhp-dkdn" }, { "vulnerability": "VCID-apue-gaqy-n3cq" }, { "vulnerability": "VCID-az2w-5xhy-5fe4" }, { "vulnerability": "VCID-b3cn-pjp3-4yhm" }, { "vulnerability": "VCID-b4jg-dj1a-9qd5" }, { "vulnerability": "VCID-b5hn-f1qk-z7cu" }, { "vulnerability": "VCID-b9ry-u6qy-j7cc" }, { "vulnerability": "VCID-c1ta-jffg-cfg9" }, { "vulnerability": "VCID-c4mx-9727-nfgs" }, { "vulnerability": "VCID-cae3-fgn1-83hu" }, { "vulnerability": "VCID-cafy-5dd8-rudj" }, { "vulnerability": "VCID-cc8x-6es1-8kc5" }, { "vulnerability": "VCID-ccx1-qacj-2qev" }, { "vulnerability": "VCID-cfjt-51xj-qqdw" }, { "vulnerability": "VCID-cgwk-hn4t-n7c1" }, { "vulnerability": "VCID-cm2a-1yc5-v3cy" }, { "vulnerability": "VCID-cqjn-3z6n-sff1" }, { "vulnerability": "VCID-d2ab-j8bf-e7dx" }, { "vulnerability": "VCID-d6mk-hg8h-7qbc" }, { "vulnerability": "VCID-dj5a-35gt-u7dn" }, { "vulnerability": "VCID-dpgz-dacm-sqg6" }, { "vulnerability": "VCID-dx43-89w9-a7dg" }, { "vulnerability": "VCID-e9zx-zy9y-2fcp" }, { "vulnerability": "VCID-ed87-d3y2-wfck" }, { "vulnerability": "VCID-egy6-nku7-zyap" }, { "vulnerability": "VCID-er49-k3tc-ufcu" }, { "vulnerability": "VCID-eygc-ra9u-gyej" }, { "vulnerability": "VCID-f5ef-53gt-nbcu" }, { "vulnerability": "VCID-fyh6-gupt-eqgm" }, { "vulnerability": "VCID-fz5y-um7w-63f4" }, { "vulnerability": "VCID-fz6y-fece-skgr" }, { "vulnerability": "VCID-fzam-yuyg-qyd5" }, { "vulnerability": "VCID-fzm9-e6bg-r7aw" }, { "vulnerability": "VCID-gedj-39p5-ubd6" }, { "vulnerability": "VCID-gxnx-f2qh-3yf9" }, { "vulnerability": "VCID-gyj5-abau-uyf6" }, { "vulnerability": "VCID-hbau-7tvg-cygz" }, { "vulnerability": "VCID-hd53-pxmk-ruap" }, { "vulnerability": "VCID-hh8a-mgkk-3yb5" }, { "vulnerability": "VCID-hspp-kw5e-akbr" }, { "vulnerability": "VCID-j124-q39m-mkby" }, { "vulnerability": "VCID-j5vp-2jrx-ukf4" }, { "vulnerability": "VCID-j6ss-8f4e-e7g2" }, { "vulnerability": "VCID-j77a-cqsd-wuf1" }, { "vulnerability": "VCID-jhd5-tqph-3ufu" }, { "vulnerability": "VCID-jmhs-9u49-ekbj" }, { "vulnerability": "VCID-jr49-4fs3-8qcp" }, { "vulnerability": "VCID-kezx-5nw5-hfen" }, { "vulnerability": "VCID-kgws-xvjr-g7bv" }, { "vulnerability": "VCID-kv6x-nz1s-uuar" }, { "vulnerability": "VCID-kxnm-y19k-mqg2" }, { "vulnerability": "VCID-m5z8-hz81-j7b7" }, { "vulnerability": "VCID-m83v-51cy-uqar" }, { "vulnerability": "VCID-md7v-w5aq-t7h1" }, { "vulnerability": "VCID-mhvf-2keh-2qar" }, { "vulnerability": "VCID-mjb6-7au8-5fdx" }, { "vulnerability": "VCID-msac-ptqf-pyg1" }, { "vulnerability": "VCID-mtes-xpe5-qkdj" }, { "vulnerability": "VCID-mtr5-suag-2bdj" }, { "vulnerability": "VCID-n5mn-3a8f-nbdb" }, { "vulnerability": "VCID-nf6t-99ep-w3dy" }, { "vulnerability": "VCID-nm39-k1su-yyep" }, { "vulnerability": "VCID-nn21-hf8r-ykfd" }, { "vulnerability": "VCID-p1py-xewy-7khn" }, { "vulnerability": "VCID-p222-28c1-vfhy" }, { "vulnerability": "VCID-p9qx-66yy-1kc1" }, { "vulnerability": "VCID-pm85-dfg2-euep" }, { "vulnerability": "VCID-q4yr-fqww-tbb1" }, { "vulnerability": "VCID-qfw5-3tdu-x7g4" }, { "vulnerability": "VCID-qj4x-u7gx-9uf1" }, { "vulnerability": "VCID-qp7s-amch-v3cd" }, { "vulnerability": "VCID-qq42-4zzt-3kh2" }, { "vulnerability": "VCID-qr9t-ckvn-8uby" }, { "vulnerability": "VCID-qrwc-3gsb-zkfy" }, { "vulnerability": "VCID-qzqd-271b-ybfj" }, { "vulnerability": "VCID-r4bw-w4t9-23ek" }, { "vulnerability": "VCID-r7nh-arcj-8fb3" }, { "vulnerability": "VCID-rbjk-3gcs-2qb5" }, { "vulnerability": "VCID-re84-qg3k-3ub3" }, { "vulnerability": "VCID-rf6p-ct86-5bgz" }, { "vulnerability": "VCID-rgnq-s54v-vkdm" }, { "vulnerability": "VCID-ruru-fwmn-5kes" }, { "vulnerability": "VCID-s4bp-kzfu-8qfy" }, { "vulnerability": "VCID-s5e2-d6n8-kkbr" }, { "vulnerability": "VCID-scg7-ugdn-53b9" }, { "vulnerability": "VCID-sd6n-a9mk-aufb" }, { "vulnerability": "VCID-tc3m-4bkg-qkcf" }, { "vulnerability": "VCID-tdg3-1dcq-ekgr" }, { "vulnerability": "VCID-te3b-exz5-zke1" }, { "vulnerability": "VCID-th7y-aj51-mbaj" }, { "vulnerability": "VCID-tvz9-8s4d-gbg6" }, { "vulnerability": "VCID-tzug-ckkn-dyft" }, { "vulnerability": "VCID-u2hc-27c2-1udc" }, { "vulnerability": "VCID-upcj-z3c1-ubcf" }, { "vulnerability": "VCID-uwnu-vhsb-g3bj" }, { "vulnerability": "VCID-ve4u-d5rz-wyab" }, { "vulnerability": "VCID-vyyk-xq4q-b3bz" }, { "vulnerability": "VCID-w3zd-fezc-nuhd" }, { "vulnerability": "VCID-w42y-yc7r-kqhp" }, { "vulnerability": "VCID-w4uu-k7nk-a7hr" }, { "vulnerability": "VCID-wbt5-q9qd-8kby" }, { "vulnerability": "VCID-wh14-k3ex-pubq" }, { "vulnerability": "VCID-wjfe-wh5k-1qft" }, { "vulnerability": "VCID-ws6y-k3tx-r3gb" }, { "vulnerability": "VCID-wwp5-kfhy-ufar" }, { "vulnerability": "VCID-wzcg-wnnq-uudu" }, { "vulnerability": "VCID-wzu6-rbsv-mkde" }, { "vulnerability": "VCID-x46d-a16g-nkg9" }, { "vulnerability": "VCID-xbhh-m11c-gkeu" }, { "vulnerability": "VCID-xsq8-ztqh-ubb8" }, { "vulnerability": "VCID-y4r1-yr69-uuf6" }, { "vulnerability": "VCID-y7x4-664r-3fbk" }, { "vulnerability": "VCID-y93w-2qcc-wqg8" }, { "vulnerability": "VCID-ya5v-gewx-gudt" }, { "vulnerability": "VCID-yuvf-e7hk-kqf9" }, { "vulnerability": "VCID-yyq6-dvyx-3bb9" }, { "vulnerability": "VCID-ze8y-4wfs-hbf9" }, { "vulnerability": "VCID-zgyj-4zuz-wkev" }, { "vulnerability": "VCID-zt9b-9sjx-7qb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/project-community-edition@2.0.0-rc" } ], "aliases": [ "CVE-2019-8114", "GHSA-crv7-r357-gw3w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gm81-x6qm-xbat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111163?format=api", "vulnerability_id": "VCID-gxnx-f2qh-3yf9", "summary": "Magento discloses sensitive information via the Multishipping Module\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the Multishipping Module. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36038", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01462", "scoring_system": "epss", "scoring_elements": "0.81203", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01462", "scoring_system": "epss", "scoring_elements": "0.81231", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36038" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36038", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36038" }, { "reference_url": "https://github.com/advisories/GHSA-wgpr-9675-8r67", "reference_id": "GHSA-wgpr-9675-8r67", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wgpr-9675-8r67" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36038", "GHSA-wgpr-9675-8r67" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gxnx-f2qh-3yf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111006?format=api", "vulnerability_id": "VCID-gyj5-abau-uyf6", "summary": "Magento stored cross-site scripting vulnerability in the admin console\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21023", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03783", "scoring_system": "epss", "scoring_elements": "0.88271", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03783", "scoring_system": "epss", "scoring_elements": "0.8829", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21023" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21023", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21023" }, { "reference_url": "https://github.com/advisories/GHSA-h5rm-m772-6qcx", "reference_id": "GHSA-h5rm-m772-6qcx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h5rm-m772-6qcx" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21023", "GHSA-h5rm-m772-6qcx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gyj5-abau-uyf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56622?format=api", "vulnerability_id": "VCID-hbau-7tvg-cygz", "summary": "Magento Improper Access Control vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24429", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00182", "scoring_system": "epss", "scoring_elements": "0.39685", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24429" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:48:50Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24429", "reference_id": "CVE-2025-24429", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24429" }, { "reference_url": "https://github.com/advisories/GHSA-656q-fx2w-8ccv", "reference_id": "GHSA-656q-fx2w-8ccv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-656q-fx2w-8ccv" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24429", "GHSA-656q-fx2w-8ccv" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hbau-7tvg-cygz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108779?format=api", "vulnerability_id": "VCID-hd53-pxmk-ruap", "summary": "Magento Open Source allows Stored Cross-Site Scripting (Stored XSS)\nAdobe Commerce versions 2.4.3-p3 (and earlier), 2.4.4-p1 (and earlier) and 2.4.5 (and earlier) are affected by a Stored Cross-site Scripting vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35698", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02186", "scoring_system": "epss", "scoring_elements": "0.84703", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02186", "scoring_system": "epss", "scoring_elements": "0.8468", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35698" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:07:24Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb22-48.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35698", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35698" }, { "reference_url": "https://github.com/advisories/GHSA-4vj2-426r-jm3g", "reference_id": "GHSA-4vj2-426r-jm3g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4vj2-426r-jm3g" } ], "fixed_packages": [], "aliases": [ "CVE-2022-35698", "GHSA-4vj2-426r-jm3g" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hd53-pxmk-ruap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44762?format=api", "vulnerability_id": "VCID-hh8a-mgkk-3yb5", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Incorrect Authorization vulnerability. A low-privileged authenticated attacker could leverage this vulnerability to achieve minor information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22251", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.41851", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00199", "scoring_system": "epss", "scoring_elements": "0.41927", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22251" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:39:47Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22251", "reference_id": "CVE-2023-22251", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22251" }, { "reference_url": "https://github.com/advisories/GHSA-2wm7-mmgc-qxr3", "reference_id": "GHSA-2wm7-mmgc-qxr3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2wm7-mmgc-qxr3" } ], "fixed_packages": [], "aliases": [ "CVE-2023-22251", "GHSA-2wm7-mmgc-qxr3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hh8a-mgkk-3yb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112481?format=api", "vulnerability_id": "VCID-hspp-kw5e-akbr", "summary": "Magento vulnerable to file upload attack\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges could upload a specially crafted file in the 'pub/media` directory could lead to remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36041", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05476", "scoring_system": "epss", "scoring_elements": "0.90365", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.05476", "scoring_system": "epss", "scoring_elements": "0.9038", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36041" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36041", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36041" }, { "reference_url": "https://github.com/advisories/GHSA-mx5m-j5xr-jg8c", "reference_id": "GHSA-mx5m-j5xr-jg8c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mx5m-j5xr-jg8c" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36041", "GHSA-mx5m-j5xr-jg8c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hspp-kw5e-akbr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47017?format=api", "vulnerability_id": "VCID-j124-q39m-mkby", "summary": "Magento Open Source allows Cross-Site Request Forgery (CSRF)\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to trick a victim into performing actions they did not intend to do, which could be used to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction, typically in the form of the victim clicking a link or visiting a malicious website.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20718", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0012", "scoring_system": "epss", "scoring_elements": "0.30556", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20718" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-29T17:27:46Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20718", "reference_id": "CVE-2024-20718", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20718" }, { "reference_url": "https://github.com/advisories/GHSA-hqgj-4396-hmxv", "reference_id": "GHSA-hqgj-4396-hmxv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hqgj-4396-hmxv" } ], "fixed_packages": [], "aliases": [ "CVE-2024-20718", "GHSA-hqgj-4396-hmxv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j124-q39m-mkby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47019?format=api", "vulnerability_id": "VCID-j5vp-2jrx-ukf4", "summary": "Magento Open Source allows Cross-Site Scripting (XSS)\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an admin attacker to inject malicious scripts into every admin page. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field, that could be leveraged to gain admin access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20719", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01149", "scoring_system": "epss", "scoring_elements": "0.78852", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20719" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-21T05:00:29Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20719", "reference_id": "CVE-2024-20719", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20719" }, { "reference_url": "https://github.com/advisories/GHSA-264g-f7v8-q5qq", "reference_id": "GHSA-264g-f7v8-q5qq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-264g-f7v8-q5qq" } ], "fixed_packages": [], "aliases": [ "CVE-2024-20719", "GHSA-264g-f7v8-q5qq" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j5vp-2jrx-ukf4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57100?format=api", "vulnerability_id": "VCID-j6ss-8f4e-e7g2", "summary": "Magento does not properly protect credentials\nMagento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27192", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.2817", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27192" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-26.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T20:53:23Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-26.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27192", "reference_id": "CVE-2025-27192", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27192" }, { "reference_url": "https://github.com/advisories/GHSA-2r94-wm5v-4prx", "reference_id": "GHSA-2r94-wm5v-4prx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2r94-wm5v-4prx" } ], "fixed_packages": [], "aliases": [ "CVE-2025-27192", "GHSA-2r94-wm5v-4prx" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6ss-8f4e-e7g2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111185?format=api", "vulnerability_id": "VCID-j77a-cqsd-wuf1", "summary": "Magento Insufficient Session Expiration\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) do not adequately invalidate user sessions. Successful exploitation of this issue could lead to unauthorized access to restricted resources. Access to the admin console is not required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21032", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38019", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38109", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21032" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21032", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21032" }, { "reference_url": "https://github.com/advisories/GHSA-4jfq-f8hc-775q", "reference_id": "GHSA-4jfq-f8hc-775q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4jfq-f8hc-775q" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21032", "GHSA-4jfq-f8hc-775q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j77a-cqsd-wuf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45809?format=api", "vulnerability_id": "VCID-jhd5-tqph-3ufu", "summary": "Magento Open Source allows Improper Neutralization of Special Elements Used\nAdobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38208", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03849", "scoring_system": "epss", "scoring_elements": "0.88421", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38208" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:53:29Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38208", "reference_id": "CVE-2023-38208", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38208" }, { "reference_url": "https://github.com/advisories/GHSA-mxc9-g6m4-2v35", "reference_id": "GHSA-mxc9-g6m4-2v35", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mxc9-g6m4-2v35" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38208", "GHSA-mxc9-g6m4-2v35" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jhd5-tqph-3ufu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112095?format=api", "vulnerability_id": "VCID-jmhs-9u49-ekbj", "summary": "Magento Insecure Direct Object Reference (IDOR) in the product module\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21022", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00154", "scoring_system": "epss", "scoring_elements": "0.35755", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00154", "scoring_system": "epss", "scoring_elements": "0.35851", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21022" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21022", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21022" }, { "reference_url": "https://github.com/advisories/GHSA-8pfq-g48p-x7w8", "reference_id": "GHSA-8pfq-g48p-x7w8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8pfq-g48p-x7w8" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21022", "GHSA-8pfq-g48p-x7w8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jmhs-9u49-ekbj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56645?format=api", "vulnerability_id": "VCID-jr49-4fs3-8qcp", "summary": "Improper Authorization vulnerability in Magento and Adobe Commerce\nAdobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24434", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00215", "scoring_system": "epss", "scoring_elements": "0.44087", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24434" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:37Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24434", "reference_id": "CVE-2025-24434", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24434" }, { "reference_url": "https://github.com/advisories/GHSA-fppq-f2m6-xv5c", "reference_id": "GHSA-fppq-f2m6-xv5c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fppq-f2m6-xv5c" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24434", "GHSA-fppq-f2m6-xv5c" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jr49-4fs3-8qcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55678?format=api", "vulnerability_id": "VCID-kezx-5nw5-hfen", "summary": "Magento Improper Access Control Leads to Privilege escalation\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and disclose minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39414", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0032", "scoring_system": "epss", "scoring_elements": "0.55365", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39414" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:11:42Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39414", "reference_id": "CVE-2024-39414", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39414" }, { "reference_url": "https://github.com/advisories/GHSA-x6f9-hv9r-fgq4", "reference_id": "GHSA-x6f9-hv9r-fgq4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x6f9-hv9r-fgq4" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39414", "GHSA-x6f9-hv9r-fgq4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kezx-5nw5-hfen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110863?format=api", "vulnerability_id": "VCID-kgws-xvjr-g7bv", "summary": "Magento affected by a blind SSRF vulnerability in the bundled dotmailer extension\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a blind SSRF vulnerability in the bundled dotmailer extension. An attacker with admin privileges could abuse this to achieve remote code execution should Redis be enabled.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36043", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0261", "scoring_system": "epss", "scoring_elements": "0.85921", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0261", "scoring_system": "epss", "scoring_elements": "0.85942", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36043" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36043", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36043" }, { "reference_url": "https://github.com/advisories/GHSA-36xq-7w8w-xp68", "reference_id": "GHSA-36xq-7w8w-xp68", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-36xq-7w8w-xp68" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36043", "GHSA-36xq-7w8w-xp68" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kgws-xvjr-g7bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112060?format=api", "vulnerability_id": "VCID-kv6x-nz1s-uuar", "summary": "Magento affected by remote code execution via a file upload\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An attacker with admin privileges can upload a specially crafted file to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36034", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05476", "scoring_system": "epss", "scoring_elements": "0.90365", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.05476", "scoring_system": "epss", "scoring_elements": "0.9038", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36034" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36034", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36034" }, { "reference_url": "https://github.com/advisories/GHSA-j46h-qjjv-cxfj", "reference_id": "GHSA-j46h-qjjv-cxfj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j46h-qjjv-cxfj" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36034", "GHSA-j46h-qjjv-cxfj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kv6x-nz1s-uuar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46203?format=api", "vulnerability_id": "VCID-kxnm-y19k-mqg2", "summary": "Magento Open Source allows Server-Side Request Forgery (SSRF)\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privileged authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction, scope is changed due to the fact that an attacker can enforce file read outside the application's path boundary.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-26366", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58113", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58164", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-26366" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "5.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "5.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:49:13Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26366", "reference_id": "CVE-2023-26366", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "5.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26366" }, { "reference_url": "https://github.com/advisories/GHSA-8jxc-5f94-22vh", "reference_id": "GHSA-8jxc-5f94-22vh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8jxc-5f94-22vh" } ], "fixed_packages": [], "aliases": [ "CVE-2023-26366", "GHSA-8jxc-5f94-22vh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kxnm-y19k-mqg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55683?format=api", "vulnerability_id": "VCID-m5z8-hz81-j7b7", "summary": "Magento Improper Authorization vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39405", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46342", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39405" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:13:21Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39405", "reference_id": "CVE-2024-39405", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39405" }, { "reference_url": "https://github.com/advisories/GHSA-5g9f-7gqc-8hj4", "reference_id": "GHSA-5g9f-7gqc-8hj4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5g9f-7gqc-8hj4" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39405", "GHSA-5g9f-7gqc-8hj4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m5z8-hz81-j7b7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46201?format=api", "vulnerability_id": "VCID-m83v-51cy-uqar", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38218", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00692", "scoring_system": "epss", "scoring_elements": "0.72271", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38218" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38218", "reference_id": "CVE-2023-38218", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38218" }, { "reference_url": "https://github.com/advisories/GHSA-rpc7-gf58-v3x2", "reference_id": "GHSA-rpc7-gf58-v3x2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rpc7-gf58-v3x2" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38218", "GHSA-rpc7-gf58-v3x2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m83v-51cy-uqar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57533?format=api", "vulnerability_id": "VCID-md7v-w5aq-t7h1", "summary": "Magento Security feature bypass\nMagento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49550", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00468", "scoring_system": "epss", "scoring_elements": "0.64889", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49550" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-25T18:07:51Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49550", "reference_id": "CVE-2025-49550", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49550" }, { "reference_url": "https://github.com/advisories/GHSA-8hcx-xvww-6c6h", "reference_id": "GHSA-8hcx-xvww-6c6h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8hcx-xvww-6c6h" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49550", "GHSA-8hcx-xvww-6c6h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-md7v-w5aq-t7h1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56626?format=api", "vulnerability_id": "VCID-mhvf-2keh-2qar", "summary": "Magento Stored Cross-Site Scripting (XSS) Vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01321", "scoring_system": "epss", "scoring_elements": "0.80247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24417" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:50Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24417", "reference_id": "CVE-2025-24417", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24417" }, { "reference_url": "https://github.com/advisories/GHSA-g3j6-9753-8mp2", "reference_id": "GHSA-g3j6-9753-8mp2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-g3j6-9753-8mp2" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24417", "GHSA-g3j6-9753-8mp2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mhvf-2keh-2qar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56646?format=api", "vulnerability_id": "VCID-mjb6-7au8-5fdx", "summary": "Magento Stored Cross-Site Scripting (XSS) Vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24414", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01321", "scoring_system": "epss", "scoring_elements": "0.80247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24414" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:45Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24414", "reference_id": "CVE-2025-24414", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24414" }, { "reference_url": "https://github.com/advisories/GHSA-fhw6-3mj5-w9gv", "reference_id": "GHSA-fhw6-3mj5-w9gv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fhw6-3mj5-w9gv" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24414", "GHSA-fhw6-3mj5-w9gv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mjb6-7au8-5fdx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47021?format=api", "vulnerability_id": "VCID-msac-ptqf-pyg1", "summary": "Magento Open Source allows OS Command Injection\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20720", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07195", "scoring_system": "epss", "scoring_elements": "0.91752", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20720" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-11T17:46:31Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20720", "reference_id": "CVE-2024-20720", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20720" }, { "reference_url": "https://github.com/advisories/GHSA-525f-pvj5-vqmq", "reference_id": "GHSA-525f-pvj5-vqmq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-525f-pvj5-vqmq" } ], "fixed_packages": [], "aliases": [ "CVE-2024-20720", "GHSA-525f-pvj5-vqmq" ], "risk_score": 4.1, "exploitability": "0.5", "weighted_severity": "8.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-msac-ptqf-pyg1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111534?format=api", "vulnerability_id": "VCID-mtes-xpe5-qkdj", "summary": "Magento 2 Community Edition RCE via Unsafe File Upload\nMagento versions 2.4.0 and 2.3.5p1 (and earlier) are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24407", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03057", "scoring_system": "epss", "scoring_elements": "0.86957", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03057", "scoring_system": "epss", "scoring_elements": "0.86979", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24407" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24407", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24407" }, { "reference_url": "https://github.com/advisories/GHSA-7pxg-6p87-8c9v", "reference_id": "GHSA-7pxg-6p87-8c9v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7pxg-6p87-8c9v" } ], "fixed_packages": [], "aliases": [ "CVE-2020-24407", "GHSA-7pxg-6p87-8c9v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mtes-xpe5-qkdj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45416?format=api", "vulnerability_id": "VCID-mtr5-suag-2bdj", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A privileged attacker could leverage this vulnerability to modify a minor functionality of another user's data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29288", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37128", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29288" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:27Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29288", "reference_id": "CVE-2023-29288", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29288" }, { "reference_url": "https://github.com/advisories/GHSA-f989-3fp9-q3r2", "reference_id": "GHSA-f989-3fp9-q3r2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f989-3fp9-q3r2" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29288", "GHSA-f989-3fp9-q3r2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mtr5-suag-2bdj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110890?format=api", "vulnerability_id": "VCID-n5mn-3a8f-nbdb", "summary": "Magento discloses sensitive information\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability via the `quoteId` parameter. An attacker can abuse this vulnerability to disclose sensitive information.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36039", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00801", "scoring_system": "epss", "scoring_elements": "0.74435", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00801", "scoring_system": "epss", "scoring_elements": "0.74466", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36039" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36039", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36039" }, { "reference_url": "https://github.com/advisories/GHSA-3g7m-g8qm-x6j5", "reference_id": "GHSA-3g7m-g8qm-x6j5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3g7m-g8qm-x6j5" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36039", "GHSA-3g7m-g8qm-x6j5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n5mn-3a8f-nbdb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111239?format=api", "vulnerability_id": "VCID-nf6t-99ep-w3dy", "summary": "Magento command injection vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9582", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0323", "scoring_system": "epss", "scoring_elements": "0.87306", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0323", "scoring_system": "epss", "scoring_elements": "0.87328", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9582" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9582", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9582" }, { "reference_url": "https://github.com/advisories/GHSA-c3m4-hxv9-4mxj", "reference_id": "GHSA-c3m4-hxv9-4mxj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c3m4-hxv9-4mxj" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9582", "GHSA-c3m4-hxv9-4mxj" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nf6t-99ep-w3dy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111283?format=api", "vulnerability_id": "VCID-nm39-k1su-yyep", "summary": "Magento vulnerable to a file upload restriction bypass\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21014", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00372", "scoring_system": "epss", "scoring_elements": "0.59284", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00372", "scoring_system": "epss", "scoring_elements": "0.59335", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21014" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497" }, { "reference_url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21014", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21014" }, { "reference_url": "https://github.com/advisories/GHSA-269w-pqc7-68q9", "reference_id": "GHSA-269w-pqc7-68q9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-269w-pqc7-68q9" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21014", "GHSA-269w-pqc7-68q9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nm39-k1su-yyep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45951?format=api", "vulnerability_id": "VCID-nn21-hf8r-ykfd", "summary": "Magento XML Injection vulnerability in the Widgets Update Layout\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36023", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.1628", "scoring_system": "epss", "scoring_elements": "0.9495", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.1628", "scoring_system": "epss", "scoring_elements": "0.94958", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36023" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:52:38Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36023", "reference_id": "CVE-2021-36023", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36023" }, { "reference_url": "https://github.com/advisories/GHSA-8cjg-f53m-8m9q", "reference_id": "GHSA-8cjg-f53m-8m9q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8cjg-f53m-8m9q" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36023", "GHSA-8cjg-f53m-8m9q" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nn21-hf8r-ykfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111183?format=api", "vulnerability_id": "VCID-p1py-xewy-7khn", "summary": "Magento XML Injection vulnerability in the Widgets Module\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Module. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36033", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.11326", "scoring_system": "epss", "scoring_elements": "0.93679", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.11326", "scoring_system": "epss", "scoring_elements": "0.93688", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36033" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36033", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36033" }, { "reference_url": "https://github.com/advisories/GHSA-p746-qw73-qmmx", "reference_id": "GHSA-p746-qw73-qmmx", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p746-qw73-qmmx" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36033", "GHSA-p746-qw73-qmmx" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p1py-xewy-7khn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47020?format=api", "vulnerability_id": "VCID-p222-28c1-vfhy", "summary": "Magento Open Source allows Uncontrolled Resource Consumption\nAdobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to an application denial-of-service. A high-privileged attacker could leverage this vulnerability to exhaust system resources, causing the application to slow down or crash. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20716", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00265", "scoring_system": "epss", "scoring_elements": "0.50257", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20716" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-18T00:20:23Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-03.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20716", "reference_id": "CVE-2024-20716", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20716" }, { "reference_url": "https://github.com/advisories/GHSA-c9h9-h5gf-885r", "reference_id": "GHSA-c9h9-h5gf-885r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c9h9-h5gf-885r" } ], "fixed_packages": [], "aliases": [ "CVE-2024-20716", "GHSA-c9h9-h5gf-885r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p222-28c1-vfhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112251?format=api", "vulnerability_id": "VCID-p9qx-66yy-1kc1", "summary": "Magento improper authorization vulnerability\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper authorization vulnerability. An attacker with admin privileges could leverage this vulnerability to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36029", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0345", "scoring_system": "epss", "scoring_elements": "0.87729", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0345", "scoring_system": "epss", "scoring_elements": "0.87751", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36029" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36029", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36029" }, { "reference_url": "https://github.com/advisories/GHSA-m8wx-whpp-q283", "reference_id": "GHSA-m8wx-whpp-q283", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m8wx-whpp-q283" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36029", "GHSA-m8wx-whpp-q283" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p9qx-66yy-1kc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111336?format=api", "vulnerability_id": "VCID-pm85-dfg2-euep", "summary": "Magento executes code via the API File Option Upload Extension\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability in the API File Option Upload Extension. An attacker with Admin privileges can achieve unrestricted file upload which can result in remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36042", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04108", "scoring_system": "epss", "scoring_elements": "0.888", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.04108", "scoring_system": "epss", "scoring_elements": "0.88817", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36042" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36042", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36042" }, { "reference_url": "https://github.com/advisories/GHSA-6cwv-wj7v-73xp", "reference_id": "GHSA-6cwv-wj7v-73xp", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6cwv-wj7v-73xp" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36042", "GHSA-6cwv-wj7v-73xp" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pm85-dfg2-euep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111241?format=api", "vulnerability_id": "VCID-q4yr-fqww-tbb1", "summary": "Magento incorrect user permissions vulnerability within the Inventory component\nMagento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect user permissions vulnerability within the Inventory component. This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24403", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40758", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40836", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-24403" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24403", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24403" }, { "reference_url": "https://github.com/advisories/GHSA-39rw-4m66-82gf", "reference_id": "GHSA-39rw-4m66-82gf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-39rw-4m66-82gf" } ], "fixed_packages": [], "aliases": [ "CVE-2020-24403", "GHSA-39rw-4m66-82gf" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q4yr-fqww-tbb1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46196?format=api", "vulnerability_id": "VCID-qfw5-3tdu-x7g4", "summary": "Magento Open Source has Improper Input Validation Vulnerability\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-26367", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00363", "scoring_system": "epss", "scoring_elements": "0.58724", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00363", "scoring_system": "epss", "scoring_elements": "0.58677", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-26367" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:49:12Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26367", "reference_id": "CVE-2023-26367", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26367" }, { "reference_url": "https://github.com/advisories/GHSA-9mx6-4gg4-85xj", "reference_id": "GHSA-9mx6-4gg4-85xj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9mx6-4gg4-85xj" } ], "fixed_packages": [], "aliases": [ "CVE-2023-26367", "GHSA-9mx6-4gg4-85xj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qfw5-3tdu-x7g4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55697?format=api", "vulnerability_id": "VCID-qj4x-u7gx-9uf1", "summary": "Magento Improper Authorization vulnerability\nMagento versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and modify minor information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39404", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00243", "scoring_system": "epss", "scoring_elements": "0.47829", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39404" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-14T14:12:52Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-61.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39404", "reference_id": "CVE-2024-39404", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39404" }, { "reference_url": "https://github.com/advisories/GHSA-qrh3-vxjg-h9h6", "reference_id": "GHSA-qrh3-vxjg-h9h6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qrh3-vxjg-h9h6" } ], "fixed_packages": [], "aliases": [ "CVE-2024-39404", "GHSA-qrh3-vxjg-h9h6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qj4x-u7gx-9uf1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56623?format=api", "vulnerability_id": "VCID-qp7s-amch-v3cd", "summary": "Magento Improper Access Control vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to modify limited fields. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24435", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40477", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24435" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:49:16Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24435", "reference_id": "CVE-2025-24435", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24435" }, { "reference_url": "https://github.com/advisories/GHSA-82p4-55gj-956p", "reference_id": "GHSA-82p4-55gj-956p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-82p4-55gj-956p" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24435", "GHSA-82p4-55gj-956p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qp7s-amch-v3cd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111382?format=api", "vulnerability_id": "VCID-qq42-4zzt-3kh2", "summary": "Magento XPath Injection\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to XML injection in the product layout updates. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21025", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04724", "scoring_system": "epss", "scoring_elements": "0.8958", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.04724", "scoring_system": "epss", "scoring_elements": "0.89597", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21025" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21025", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21025" }, { "reference_url": "https://github.com/advisories/GHSA-h437-qjj9-vmq4", "reference_id": "GHSA-h437-qjj9-vmq4", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h437-qjj9-vmq4" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21025", "GHSA-h437-qjj9-vmq4" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qq42-4zzt-3kh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111957?format=api", "vulnerability_id": "VCID-qr9t-ckvn-8uby", "summary": "Magento security mitigation bypass vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9632", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07985", "scoring_system": "epss", "scoring_elements": "0.9223", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.07985", "scoring_system": "epss", "scoring_elements": "0.92243", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9632" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9632", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9632" }, { "reference_url": "https://github.com/advisories/GHSA-6w29-x5j4-qhrw", "reference_id": "GHSA-6w29-x5j4-qhrw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6w29-x5j4-qhrw" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9632", "GHSA-6w29-x5j4-qhrw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qr9t-ckvn-8uby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48030?format=api", "vulnerability_id": "VCID-qrwc-3gsb-zkfy", "summary": "Magento provides incorrect authorization through a security feature bypass\nMagento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. A low-privileged attacker could leverage this vulnerability to bypass security measures and maintain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54263", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00092", "scoring_system": "epss", "scoring_elements": "0.25983", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54263" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-21T03:55:29Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54263", "reference_id": "CVE-2025-54263", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54263" }, { "reference_url": "https://github.com/advisories/GHSA-69x9-xp2j-w8g8", "reference_id": "GHSA-69x9-xp2j-w8g8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-69x9-xp2j-w8g8" } ], "fixed_packages": [], "aliases": [ "CVE-2025-54263", "GHSA-69x9-xp2j-w8g8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qrwc-3gsb-zkfy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56642?format=api", "vulnerability_id": "VCID-qzqd-271b-ybfj", "summary": "Magento Information Exposure vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Information Exposure vulnerability that could result in privilege escalation. A low-privileged attacker could gain unauthorized access to sensitive information. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24408", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00377", "scoring_system": "epss", "scoring_elements": "0.59659", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24408" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:49:13Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24408", "reference_id": "CVE-2025-24408", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24408" }, { "reference_url": "https://github.com/advisories/GHSA-3cfg-w257-cgf8", "reference_id": "GHSA-3cfg-w257-cgf8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3cfg-w257-cgf8" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24408", "GHSA-3cfg-w257-cgf8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qzqd-271b-ybfj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56633?format=api", "vulnerability_id": "VCID-r4bw-w4t9-23ek", "summary": "Magento Improper Access Control vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24427", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00188", "scoring_system": "epss", "scoring_elements": "0.40477", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24427" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:49:04Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24427", "reference_id": "CVE-2025-24427", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24427" }, { "reference_url": "https://github.com/advisories/GHSA-v3hq-g424-5mgg", "reference_id": "GHSA-v3hq-g424-5mgg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v3hq-g424-5mgg" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24427", "GHSA-v3hq-g424-5mgg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r4bw-w4t9-23ek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46191?format=api", "vulnerability_id": "VCID-r7nh-arcj-8fb3", "summary": "Magento Open Source allows Uncontrolled Resource Consumption\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Uncontrolled Resource Consumption vulnerability that could lead into a minor application denial-of-service. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38251", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00232", "scoring_system": "epss", "scoring_elements": "0.46133", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38251" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:04Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38251", "reference_id": "CVE-2023-38251", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38251" }, { "reference_url": "https://github.com/advisories/GHSA-7pfc-834q-h497", "reference_id": "GHSA-7pfc-834q-h497", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7pfc-834q-h497" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38251", "GHSA-7pfc-834q-h497" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r7nh-arcj-8fb3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46199?format=api", "vulnerability_id": "VCID-rbjk-3gcs-2qb5", "summary": "Magento Open Source allows Improper Authorization\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38220", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.35764", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38220" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:06Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38220", "reference_id": "CVE-2023-38220", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38220" }, { "reference_url": "https://github.com/advisories/GHSA-grc6-r6f8-xj7c", "reference_id": "GHSA-grc6-r6f8-xj7c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-grc6-r6f8-xj7c" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38220", "GHSA-grc6-r6f8-xj7c" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rbjk-3gcs-2qb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56630?format=api", "vulnerability_id": "VCID-re84-qg3k-3ub3", "summary": "Adobe Commerce Path Traversal\nAdobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24406", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00235", "scoring_system": "epss", "scoring_elements": "0.4666", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24406" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:51:36Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24406", "reference_id": "CVE-2025-24406", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24406" }, { "reference_url": "https://github.com/advisories/GHSA-954p-ff72-327w", "reference_id": "GHSA-954p-ff72-327w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-954p-ff72-327w" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24406", "GHSA-954p-ff72-327w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-re84-qg3k-3ub3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46192?format=api", "vulnerability_id": "VCID-rf6p-ct86-5bgz", "summary": "Magento Open Source allows SQL Injection\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38249", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01841", "scoring_system": "epss", "scoring_elements": "0.83333", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38249" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:49:36Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38249", "reference_id": "CVE-2023-38249", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38249" }, { "reference_url": "https://github.com/advisories/GHSA-rq36-9f5f-2gw7", "reference_id": "GHSA-rq36-9f5f-2gw7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rq36-9f5f-2gw7" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38249", "GHSA-rq36-9f5f-2gw7" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rf6p-ct86-5bgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112402?format=api", "vulnerability_id": "VCID-rgnq-s54v-vkdm", "summary": "Magento has an XML Injection vulnerability\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability when saving a configurable product. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36028", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.11326", "scoring_system": "epss", "scoring_elements": "0.93679", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.11326", "scoring_system": "epss", "scoring_elements": "0.93688", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36028" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36028", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36028" }, { "reference_url": "https://github.com/advisories/GHSA-5pjj-7fq8-9gpf", "reference_id": "GHSA-5pjj-7fq8-9gpf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pjj-7fq8-9gpf" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36028", "GHSA-5pjj-7fq8-9gpf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rgnq-s54v-vkdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47435?format=api", "vulnerability_id": "VCID-ruru-fwmn-5kes", "summary": "Magento Open Source allows Improper Input Validation\nAdobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but the attack complexity is high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20758", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02201", "scoring_system": "epss", "scoring_elements": "0.84756", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-20758" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-04-11T04:01:06Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb24-18.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20758", "reference_id": "CVE-2024-20758", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20758" }, { "reference_url": "https://github.com/advisories/GHSA-wh4m-6rh3-p4rq", "reference_id": "GHSA-wh4m-6rh3-p4rq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wh4m-6rh3-p4rq" } ], "fixed_packages": [], "aliases": [ "CVE-2024-20758", "GHSA-wh4m-6rh3-p4rq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ruru-fwmn-5kes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56635?format=api", "vulnerability_id": "VCID-s4bp-kzfu-8qfy", "summary": "Magento Stored Cross-Site Scripting (XSS) Vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24412", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01321", "scoring_system": "epss", "scoring_elements": "0.80247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24412" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:41Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24412", "reference_id": "CVE-2025-24412", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24412" }, { "reference_url": "https://github.com/advisories/GHSA-m4rg-mpp2-97px", "reference_id": "GHSA-m4rg-mpp2-97px", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-m4rg-mpp2-97px" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24412", "GHSA-m4rg-mpp2-97px" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s4bp-kzfu-8qfy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46193?format=api", "vulnerability_id": "VCID-s5e2-d6n8-kkbr", "summary": "Magento Open Source allows Cross-Site Scripting (XSS)\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Payload is stored in an admin area, resulting in high confidentiality and integrity impact.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38219", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0152", "scoring_system": "epss", "scoring_elements": "0.81604", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38219" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:49:34Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38219", "reference_id": "CVE-2023-38219", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38219" }, { "reference_url": "https://github.com/advisories/GHSA-3j7w-jp46-9752", "reference_id": "GHSA-3j7w-jp46-9752", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3j7w-jp46-9752" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38219", "GHSA-3j7w-jp46-9752" ], "risk_score": 3.9, "exploitability": "0.5", "weighted_severity": "7.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s5e2-d6n8-kkbr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56644?format=api", "vulnerability_id": "VCID-scg7-ugdn-53b9", "summary": "Magento Improper Access Control vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24424", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00225", "scoring_system": "epss", "scoring_elements": "0.45292", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24424" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:48:44Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24424", "reference_id": "CVE-2025-24424", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24424" }, { "reference_url": "https://github.com/advisories/GHSA-539v-w87w-w62c", "reference_id": "GHSA-539v-w87w-w62c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-539v-w87w-w62c" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24424", "GHSA-539v-w87w-w62c" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-scg7-ugdn-53b9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111360?format=api", "vulnerability_id": "VCID-sd6n-a9mk-aufb", "summary": "Magento DOM-based Cross-Site Scripting vulnerability on mage-messages cookies\nMagento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a DOM-based Cross-Site Scripting vulnerability on mage-messages cookies. Successful exploitation could lead to arbitrary JavaScript execution by an unauthenticated attacker. User interaction is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28556", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.23863", "scoring_system": "epss", "scoring_elements": "0.96121", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.23863", "scoring_system": "epss", "scoring_elements": "0.96126", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28556" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28556", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28556" }, { "reference_url": "https://github.com/advisories/GHSA-39ch-rg26-gmq5", "reference_id": "GHSA-39ch-rg26-gmq5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-39ch-rg26-gmq5" } ], "fixed_packages": [], "aliases": [ "CVE-2021-28556", "GHSA-39ch-rg26-gmq5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sd6n-a9mk-aufb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57435?format=api", "vulnerability_id": "VCID-tc3m-4bkg-qkcf", "summary": "Magento Improper Authorization leading to security feature bypass\nMagento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43585", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00591", "scoring_system": "epss", "scoring_elements": "0.6963", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-43585" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-10T17:23:05Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43585", "reference_id": "CVE-2025-43585", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43585" }, { "reference_url": "https://github.com/advisories/GHSA-r487-9vv5-75gg", "reference_id": "GHSA-r487-9vv5-75gg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r487-9vv5-75gg" } ], "fixed_packages": [], "aliases": [ "CVE-2025-43585", "GHSA-r487-9vv5-75gg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tc3m-4bkg-qkcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112400?format=api", "vulnerability_id": "VCID-tdg3-1dcq-ekgr", "summary": "Magento Defense-in-depth security mitigation vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9585", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0622", "scoring_system": "epss", "scoring_elements": "0.91038", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0622", "scoring_system": "epss", "scoring_elements": "0.91051", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9585" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9585", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9585" }, { "reference_url": "https://github.com/advisories/GHSA-55gv-hfg3-hwjq", "reference_id": "GHSA-55gv-hfg3-hwjq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-55gv-hfg3-hwjq" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9585", "GHSA-55gv-hfg3-hwjq" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tdg3-1dcq-ekgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56624?format=api", "vulnerability_id": "VCID-te3b-exz5-zke1", "summary": "Magento Stored Cross-Site Scripting (XSS) Vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24415", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01321", "scoring_system": "epss", "scoring_elements": "0.80247", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24415" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:47Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24415", "reference_id": "CVE-2025-24415", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24415" }, { "reference_url": "https://github.com/advisories/GHSA-gc27-rvvm-q77r", "reference_id": "GHSA-gc27-rvvm-q77r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gc27-rvvm-q77r" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24415", "GHSA-gc27-rvvm-q77r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-te3b-exz5-zke1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48029?format=api", "vulnerability_id": "VCID-th7y-aj51-mbaj", "summary": "Magento vulnerable to stored Cross-Site Scripting (XSS)\nMagento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44021", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54264" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-21T03:55:28Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54264", "reference_id": "CVE-2025-54264", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54264" }, { "reference_url": "https://github.com/advisories/GHSA-2768-5wmv-cfff", "reference_id": "GHSA-2768-5wmv-cfff", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2768-5wmv-cfff" } ], "fixed_packages": [], "aliases": [ "CVE-2025-54264", "GHSA-2768-5wmv-cfff" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-th7y-aj51-mbaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56627?format=api", "vulnerability_id": "VCID-tvz9-8s4d-gbg6", "summary": "Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing security mechanisms. Exploitation of this issue requires user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24430", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27789", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24430" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:48:47Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24430", "reference_id": "CVE-2025-24430", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24430" }, { "reference_url": "https://github.com/advisories/GHSA-6w27-c66f-gvhq", "reference_id": "GHSA-6w27-c66f-gvhq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6w27-c66f-gvhq" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24430", "GHSA-6w27-c66f-gvhq" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tvz9-8s4d-gbg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57816?format=api", "vulnerability_id": "VCID-tzug-ckkn-dyft", "summary": "Magento vulnerable to denial of service\nMagento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49554", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00289", "scoring_system": "epss", "scoring_elements": "0.52681", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49554" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-13T14:18:27Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49554", "reference_id": "CVE-2025-49554", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49554" }, { "reference_url": "https://github.com/advisories/GHSA-xgfm-992v-h2hr", "reference_id": "GHSA-xgfm-992v-h2hr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xgfm-992v-h2hr" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49554", "GHSA-xgfm-992v-h2hr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tzug-ckkn-dyft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111540?format=api", "vulnerability_id": "VCID-u2hc-27c2-1udc", "summary": "Magento Violation of Secure Design Principles vulnerability in RMA PDF filename formats\nMagento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28583", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00531", "scoring_system": "epss", "scoring_elements": "0.67609", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00531", "scoring_system": "epss", "scoring_elements": "0.6765", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28583" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28583", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28583" }, { "reference_url": "https://github.com/advisories/GHSA-7gh6-f4jh-3crq", "reference_id": "GHSA-7gh6-f4jh-3crq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7gh6-f4jh-3crq" } ], "fixed_packages": [], "aliases": [ "CVE-2021-28583", "GHSA-7gh6-f4jh-3crq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u2hc-27c2-1udc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44761?format=api", "vulnerability_id": "VCID-upcj-z3c1-ubcf", "summary": "Magento Open Source allows Improper Access Control\nAdobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the availability of a user's minor feature. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22250", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00436", "scoring_system": "epss", "scoring_elements": "0.63326", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00436", "scoring_system": "epss", "scoring_elements": "0.6337", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22250" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:39:21Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-17.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22250", "reference_id": "CVE-2023-22250", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22250" }, { "reference_url": "https://github.com/advisories/GHSA-4h7p-4vq8-g2gh", "reference_id": "GHSA-4h7p-4vq8-g2gh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4h7p-4vq8-g2gh" } ], "fixed_packages": [], "aliases": [ "CVE-2023-22250", "GHSA-4h7p-4vq8-g2gh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-upcj-z3c1-ubcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112327?format=api", "vulnerability_id": "VCID-uwnu-vhsb-g3bj", "summary": "Magento Stored cross-site scripting\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9584", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38066", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00171", "scoring_system": "epss", "scoring_elements": "0.38157", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9584" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9584", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9584" }, { "reference_url": "https://github.com/advisories/GHSA-45h4-6gcj-6hwv", "reference_id": "GHSA-45h4-6gcj-6hwv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-45h4-6gcj-6hwv" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9584", "GHSA-45h4-6gcj-6hwv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwnu-vhsb-g3bj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111584?format=api", "vulnerability_id": "VCID-ve4u-d5rz-wyab", "summary": "Magento OS command injection via the WebAPI\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21016", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04449", "scoring_system": "epss", "scoring_elements": "0.89248", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.04449", "scoring_system": "epss", "scoring_elements": "0.89266", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21016" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497" }, { "reference_url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21016", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21016" }, { "reference_url": "https://github.com/advisories/GHSA-792f-c8mp-2cr5", "reference_id": "GHSA-792f-c8mp-2cr5", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-792f-c8mp-2cr5" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21016", "GHSA-792f-c8mp-2cr5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ve4u-d5rz-wyab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111762?format=api", "vulnerability_id": "VCID-vyyk-xq4q-b3bz", "summary": "Magento path traversal vulnerability\nMagento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9689", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01219", "scoring_system": "epss", "scoring_elements": "0.79387", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01219", "scoring_system": "epss", "scoring_elements": "0.79414", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9689" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/9436781734e47c83e96977fa770d255217680d5e#diff-7c7399d1d47cdaf120a1a503b7ad87f496d98790203dc82b395ec6bc2d430a55", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/9436781734e47c83e96977fa770d255217680d5e#diff-7c7399d1d47cdaf120a1a503b7ad87f496d98790203dc82b395ec6bc2d430a55" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-47.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9689", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9689" }, { "reference_url": "https://github.com/advisories/GHSA-fr6f-xmfx-rrpq", "reference_id": "GHSA-fr6f-xmfx-rrpq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fr6f-xmfx-rrpq" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9689", "GHSA-fr6f-xmfx-rrpq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vyyk-xq4q-b3bz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45808?format=api", "vulnerability_id": "VCID-w3zd-fezc-nuhd", "summary": "Magento Open Source allows XML Injection\nAdobe Commerce versions 2.4.6-p1 (and earlier), 2.4.5-p3 (and earlier) and 2.4.4-p4 (and earlier) are affected by a XML Injection (aka Blind XPath Injection) vulnerability that could lead in minor arbitrary file system read. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38207", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01147", "scoring_system": "epss", "scoring_elements": "0.78829", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38207" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:21Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-42.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38207", "reference_id": "CVE-2023-38207", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38207" }, { "reference_url": "https://github.com/advisories/GHSA-rpv2-g4pc-wp72", "reference_id": "GHSA-rpv2-g4pc-wp72", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-rpv2-g4pc-wp72" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38207", "GHSA-rpv2-g4pc-wp72" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w3zd-fezc-nuhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111364?format=api", "vulnerability_id": "VCID-w42y-yc7r-kqhp", "summary": "Magento stored cross-site scripting vulnerability in the customer address upload feature\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a stored cross-site scripting vulnerability in the customer address upload feature that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36026", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01528", "scoring_system": "epss", "scoring_elements": "0.81624", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01528", "scoring_system": "epss", "scoring_elements": "0.81654", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36026" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36026", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36026" }, { "reference_url": "https://github.com/advisories/GHSA-8gfq-m4cf-w975", "reference_id": "GHSA-8gfq-m4cf-w975", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8gfq-m4cf-w975" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36026", "GHSA-8gfq-m4cf-w975" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w42y-yc7r-kqhp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111309?format=api", "vulnerability_id": "VCID-w4uu-k7nk-a7hr", "summary": "Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21027", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58918", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.58965", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-21027" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497" }, { "reference_url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21027", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21027" }, { "reference_url": "https://github.com/advisories/GHSA-h4xc-577p-hgj9", "reference_id": "GHSA-h4xc-577p-hgj9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h4xc-577p-hgj9" } ], "fixed_packages": [], "aliases": [ "CVE-2021-21027", "GHSA-h4xc-577p-hgj9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w4uu-k7nk-a7hr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111983?format=api", "vulnerability_id": "VCID-wbt5-q9qd-8kby", "summary": "Magento Path Traversal vulnerability\nMagento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28584", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00574", "scoring_system": "epss", "scoring_elements": "0.69125", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00574", "scoring_system": "epss", "scoring_elements": "0.69164", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28584" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28584", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28584" }, { "reference_url": "https://github.com/advisories/GHSA-7gpv-xrjr-f5h4", "reference_id": "GHSA-7gpv-xrjr-f5h4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7gpv-xrjr-f5h4" } ], "fixed_packages": [], "aliases": [ "CVE-2021-28584", "GHSA-7gpv-xrjr-f5h4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wbt5-q9qd-8kby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112277?format=api", "vulnerability_id": "VCID-wh14-k3ex-pubq", "summary": "Magento affected by a business logic error in the placeOrder graphql mutation\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by a business logic error in the placeOrder graphql mutation. An authenticated attacker can leverage this vulnerability to altar the price of an item.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36012", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00792", "scoring_system": "epss", "scoring_elements": "0.74277", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00792", "scoring_system": "epss", "scoring_elements": "0.7431", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36012" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36012", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36012" }, { "reference_url": "https://github.com/advisories/GHSA-3f97-7pgv-gmgr", "reference_id": "GHSA-3f97-7pgv-gmgr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3f97-7pgv-gmgr" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36012", "GHSA-3f97-7pgv-gmgr" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wh14-k3ex-pubq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45417?format=api", "vulnerability_id": "VCID-wjfe-wh5k-1qft", "summary": "Magento Open Source allows Incorrect Authorization\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29295", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0012", "scoring_system": "epss", "scoring_elements": "0.30629", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29295" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:06Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29295", "reference_id": "CVE-2023-29295", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29295" }, { "reference_url": "https://github.com/advisories/GHSA-354h-fpmq-68v7", "reference_id": "GHSA-354h-fpmq-68v7", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-354h-fpmq-68v7" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29295", "GHSA-354h-fpmq-68v7" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wjfe-wh5k-1qft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45401?format=api", "vulnerability_id": "VCID-ws6y-k3tx-r3gb", "summary": "Magento Open Source affected by Improper Input Validation\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to leak another user's data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22248", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.37837", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.37928", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22248" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:39:10Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22248", "reference_id": "CVE-2023-22248", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22248" }, { "reference_url": "https://github.com/advisories/GHSA-5jfg-phx7-7fxg", "reference_id": "GHSA-5jfg-phx7-7fxg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5jfg-phx7-7fxg" } ], "fixed_packages": [], "aliases": [ "CVE-2023-22248", "GHSA-5jfg-phx7-7fxg" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ws6y-k3tx-r3gb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110945?format=api", "vulnerability_id": "VCID-wwp5-kfhy-ufar", "summary": "Magento Signature verification bypass\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9588", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01185", "scoring_system": "epss", "scoring_elements": "0.79127", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01185", "scoring_system": "epss", "scoring_elements": "0.79153", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9588" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9588", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9588" }, { "reference_url": "https://github.com/advisories/GHSA-j2r4-2cr6-h3r3", "reference_id": "GHSA-j2r4-2cr6-h3r3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j2r4-2cr6-h3r3" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9588", "GHSA-j2r4-2cr6-h3r3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wwp5-kfhy-ufar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112253?format=api", "vulnerability_id": "VCID-wzcg-wnnq-uudu", "summary": "Magento security mitigation bypass vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9631", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.07683", "scoring_system": "epss", "scoring_elements": "0.9205", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.07683", "scoring_system": "epss", "scoring_elements": "0.92063", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9631" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9631", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9631" }, { "reference_url": "https://github.com/advisories/GHSA-gffx-9f36-r8wp", "reference_id": "GHSA-gffx-9f36-r8wp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gffx-9f36-r8wp" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9631", "GHSA-gffx-9f36-r8wp" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wzcg-wnnq-uudu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57821?format=api", "vulnerability_id": "VCID-wzu6-rbsv-mkde", "summary": "Magento vulnerable to path traversal\nMagento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49559", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00589", "scoring_system": "epss", "scoring_elements": "0.69567", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49559" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-08-13T15:04:14Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-71.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49559", "reference_id": "CVE-2025-49559", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49559" }, { "reference_url": "https://github.com/advisories/GHSA-h4f4-gv6h-x824", "reference_id": "GHSA-h4f4-gv6h-x824", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h4f4-gv6h-x824" } ], "fixed_packages": [], "aliases": [ "CVE-2025-49559", "GHSA-h4f4-gv6h-x824" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wzu6-rbsv-mkde" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45412?format=api", "vulnerability_id": "VCID-x46d-a16g-nkg9", "summary": "Magento Open Source has Business Logic Errors Vulnerability\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Business Logic Errors vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass a minor functionality. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29294", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00197", "scoring_system": "epss", "scoring_elements": "0.41703", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29294" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:09Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29294", "reference_id": "CVE-2023-29294", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29294" }, { "reference_url": "https://github.com/advisories/GHSA-28vp-39rf-3q2j", "reference_id": "GHSA-28vp-39rf-3q2j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-28vp-39rf-3q2j" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29294", "GHSA-28vp-39rf-3q2j" ], "risk_score": 1.9, "exploitability": "0.5", "weighted_severity": "3.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x46d-a16g-nkg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112088?format=api", "vulnerability_id": "VCID-xbhh-m11c-gkeu", "summary": "Magento Improper input validation vulnerability\nMagento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28585", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.57907", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00353", "scoring_system": "epss", "scoring_elements": "0.5796", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28585" }, { "reference_url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-30.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28585", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28585" }, { "reference_url": "https://github.com/advisories/GHSA-c38m-9668-6j2w", "reference_id": "GHSA-c38m-9668-6j2w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c38m-9668-6j2w" } ], "fixed_packages": [], "aliases": [ "CVE-2021-28585", "GHSA-c38m-9668-6j2w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xbhh-m11c-gkeu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56640?format=api", "vulnerability_id": "VCID-xsq8-ztqh-ubb8", "summary": "Magento stored Cross-Site Scripting (XSS) vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24438", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04462", "scoring_system": "epss", "scoring_elements": "0.89292", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24438" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-14T04:55:43Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24438", "reference_id": "CVE-2025-24438", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24438" }, { "reference_url": "https://github.com/advisories/GHSA-8884-7rm9-mrx4", "reference_id": "GHSA-8884-7rm9-mrx4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8884-7rm9-mrx4" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24438", "GHSA-8884-7rm9-mrx4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xsq8-ztqh-ubb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46190?format=api", "vulnerability_id": "VCID-y4r1-yr69-uuf6", "summary": "Magento Open Source allows SQL Injection\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38250", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01841", "scoring_system": "epss", "scoring_elements": "0.83333", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38250" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:49:35Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38250", "reference_id": "CVE-2023-38250", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38250" }, { "reference_url": "https://github.com/advisories/GHSA-h3g9-cwr6-hphx", "reference_id": "GHSA-h3g9-cwr6-hphx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h3g9-cwr6-hphx" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38250", "GHSA-h3g9-cwr6-hphx" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y4r1-yr69-uuf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56641?format=api", "vulnerability_id": "VCID-y7x4-664r-3fbk", "summary": "Magento Improper Access Control vulnerability\nAdobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24436", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35372", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-24436" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T18:48:53Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-08.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24436", "reference_id": "CVE-2025-24436", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24436" }, { "reference_url": "https://github.com/advisories/GHSA-ghpr-6qhr-rpp8", "reference_id": "GHSA-ghpr-6qhr-rpp8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ghpr-6qhr-rpp8" } ], "fixed_packages": [], "aliases": [ "CVE-2025-24436", "GHSA-ghpr-6qhr-rpp8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y7x4-664r-3fbk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46041?format=api", "vulnerability_id": "VCID-y93w-2qcc-wqg8", "summary": "Magento Open Source affected by Improper Input Validation\nAdobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24093", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01122", "scoring_system": "epss", "scoring_elements": "0.78618", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01122", "scoring_system": "epss", "scoring_elements": "0.7859", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24093" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb22-13.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:51:54Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb22-13.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24093", "reference_id": "CVE-2022-24093", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24093" }, { "reference_url": "https://github.com/advisories/GHSA-5xmp-7wg5-x68q", "reference_id": "GHSA-5xmp-7wg5-x68q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5xmp-7wg5-x68q" } ], "fixed_packages": [], "aliases": [ "CVE-2022-24093", "GHSA-5xmp-7wg5-x68q" ], "risk_score": 3.2, "exploitability": "0.5", "weighted_severity": "6.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y93w-2qcc-wqg8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/112329?format=api", "vulnerability_id": "VCID-ya5v-gewx-gudt", "summary": "Magento Security mitigation bypass vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9580", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0622", "scoring_system": "epss", "scoring_elements": "0.91038", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0622", "scoring_system": "epss", "scoring_elements": "0.91051", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9580" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9580", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9580" }, { "reference_url": "https://github.com/advisories/GHSA-j2jp-58gv-g2pg", "reference_id": "GHSA-j2jp-58gv-g2pg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j2jp-58gv-g2pg" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9580", "GHSA-j2jp-58gv-g2pg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ya5v-gewx-gudt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45418?format=api", "vulnerability_id": "VCID-yuvf-e7hk-kqf9", "summary": "Magento Open Source allows Server-Side Request Forgery (SSRF)\nAdobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29291", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00566", "scoring_system": "epss", "scoring_elements": "0.68882", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29291" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-05T18:36:20Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-35.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29291", "reference_id": "CVE-2023-29291", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29291" }, { "reference_url": "https://github.com/advisories/GHSA-5f79-vhr4-vw2r", "reference_id": "GHSA-5f79-vhr4-vw2r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5f79-vhr4-vw2r" } ], "fixed_packages": [], "aliases": [ "CVE-2023-29291", "GHSA-5f79-vhr4-vw2r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yuvf-e7hk-kqf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48025?format=api", "vulnerability_id": "VCID-yyq6-dvyx-3bb9", "summary": "Magento vulnerable to stored Cross-Site Scripting (XSS)\nMagento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54266", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00057", "scoring_system": "epss", "scoring_elements": "0.18183", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-54266" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T13:24:32Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb25-94.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54266", "reference_id": "CVE-2025-54266", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54266" }, { "reference_url": "https://github.com/advisories/GHSA-pcrx-r49h-x2w5", "reference_id": "GHSA-pcrx-r49h-x2w5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pcrx-r49h-x2w5" } ], "fixed_packages": [], "aliases": [ "CVE-2025-54266", "GHSA-pcrx-r49h-x2w5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yyq6-dvyx-3bb9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111390?format=api", "vulnerability_id": "VCID-ze8y-4wfs-hbf9", "summary": "Magento is affected by an improper authorization vulnerability\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper authorization vulnerability. An authenticated attacker could leverage this vulnerability to achieve sensitive information disclosure.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36037", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00898", "scoring_system": "epss", "scoring_elements": "0.76019", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00898", "scoring_system": "epss", "scoring_elements": "0.76044", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36037" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb21-64.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36037", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36037" }, { "reference_url": "https://github.com/advisories/GHSA-vrq2-w7r7-3fp2", "reference_id": "GHSA-vrq2-w7r7-3fp2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vrq2-w7r7-3fp2" } ], "fixed_packages": [], "aliases": [ "CVE-2021-36037", "GHSA-vrq2-w7r7-3fp2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ze8y-4wfs-hbf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111345?format=api", "vulnerability_id": "VCID-zgyj-4zuz-wkev", "summary": "Magento authorization bypass vulnerability\nMagento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9587", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00551", "scoring_system": "epss", "scoring_elements": "0.68362", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00551", "scoring_system": "epss", "scoring_elements": "0.68404", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-9587" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb20-22.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9587", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9587" }, { "reference_url": "https://github.com/advisories/GHSA-8wm7-h2qh-ff4c", "reference_id": "GHSA-8wm7-h2qh-ff4c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8wm7-h2qh-ff4c" } ], "fixed_packages": [], "aliases": [ "CVE-2020-9587", "GHSA-8wm7-h2qh-ff4c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zgyj-4zuz-wkev" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46200?format=api", "vulnerability_id": "VCID-zt9b-9sjx-7qb4", "summary": "Magento Open Source allows SQL Injection\nAdobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction and attack complexity is high as it requires knowledge of tooling beyond just using the UI.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38221", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01841", "scoring_system": "epss", "scoring_elements": "0.83333", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38221" }, { "reference_url": "https://github.com/magento/magento2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/magento/magento2" }, { "reference_url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-26T21:49:37Z/" } ], "url": "https://helpx.adobe.com/security/products/magento/apsb23-50.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38221", "reference_id": "CVE-2023-38221", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38221" }, { "reference_url": "https://github.com/advisories/GHSA-ggr8-3hwx-4f2m", "reference_id": "GHSA-ggr8-3hwx-4f2m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-ggr8-3hwx-4f2m" } ], "fixed_packages": [], "aliases": [ "CVE-2023-38221", "GHSA-ggr8-3hwx-4f2m" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zt9b-9sjx-7qb4" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/magento/project-community-edition@0.42.0-beta1" }