{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","type":"composer","namespace":"magento","name":"community-edition","version":"2.4.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.4.3-p2","latest_non_vulnerable_version":"2.4.9-alpha3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41444?format=json","vulnerability_id":"VCID-1k4q-2ttb-13hd","summary":"Information Exposure\nMagento is vulnerable to an Information Disclosure vulnerability when uploading a modified png file to a product image. Successful exploitation could lead to the disclosure of document root path by an unauthenticated attacker. Access to the admin console is required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28566","reference_id":"","reference_type":"","scores":[{"value":"0.00731","scoring_system":"epss","scoring_elements":"0.73061","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28566"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-30.html","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-30.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28566","reference_id":"CVE-2021-28566","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28566"}],"fixed_packages":[],"aliases":["CVE-2021-28566","GHSA-w942-fw92-mqm2"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1k4q-2ttb-13hd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45958?format=json","vulnerability_id":"VCID-36ve-7wxt-z7fz","summary":"Magento affected by remote code execution vulnerability in the CMS page scheduled update feature\nMagento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an Improper input validation vulnerability within the CMS page scheduled update feature. An authenticated attacker with administrative privilege could leverage this vulnerability to achieve remote code execution on the system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36021","reference_id":"","reference_type":"","scores":[{"value":"0.01308","scoring_system":"epss","scoring_elements":"0.80129","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36021"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36021","reference_id":"CVE-2021-36021","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36021"},{"reference_url":"https://github.com/advisories/GHSA-4g27-q2w9-m8m8","reference_id":"GHSA-4g27-q2w9-m8m8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4g27-q2w9-m8m8"}],"fixed_packages":[],"aliases":["CVE-2021-36021","GHSA-4g27-q2w9-m8m8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-36ve-7wxt-z7fz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45954?format=json","vulnerability_id":"VCID-b5hn-f1qk-z7cu","summary":"Magento improper access control vulnerability within Magento's Media Gallery Upload workflow\nMagento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36036","reference_id":"","reference_type":"","scores":[{"value":"0.01566","scoring_system":"epss","scoring_elements":"0.81845","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36036"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36036","reference_id":"CVE-2021-36036","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36036"},{"reference_url":"https://github.com/advisories/GHSA-wqr6-wv6c-p8fx","reference_id":"GHSA-wqr6-wv6c-p8fx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wqr6-wv6c-p8fx"}],"fixed_packages":[],"aliases":["CVE-2021-36036","GHSA-wqr6-wv6c-p8fx"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b5hn-f1qk-z7cu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45951?format=json","vulnerability_id":"VCID-nn21-hf8r-ykfd","summary":"Magento XML Injection vulnerability in the Widgets Update Layout\nMagento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36023","reference_id":"","reference_type":"","scores":[{"value":"0.1628","scoring_system":"epss","scoring_elements":"0.9495","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36023"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-64.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36023","reference_id":"CVE-2021-36023","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36023"},{"reference_url":"https://github.com/advisories/GHSA-8cjg-f53m-8m9q","reference_id":"GHSA-8cjg-f53m-8m9q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8cjg-f53m-8m9q"}],"fixed_packages":[],"aliases":["CVE-2021-36023","GHSA-8cjg-f53m-8m9q"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nn21-hf8r-ykfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54681?format=json","vulnerability_id":"VCID-yvcy-4e8m-p3b8","summary":"Improper Authorization\nAn authorization flaw was found in Magento. Successful exploitation could lead to unauthorized modification of customer data by an unauthenticated attacker. Access to the admin console is required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28563","reference_id":"","reference_type":"","scores":[{"value":"0.00257","scoring_system":"epss","scoring_elements":"0.49287","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28563"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/1bd5cb8c065e44779526c0b044ce19b884707695"},{"reference_url":"https://github.com/magento/magento2/commit/ed952726c94e401e922e88490e41a536f2d850e7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/ed952726c94e401e922e88490e41a536f2d850e7"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-30.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-30.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28563","reference_id":"CVE-2021-28563","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28563"}],"fixed_packages":[],"aliases":["CVE-2021-28563","GHSA-q9xx-4689-gvv5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yvcy-4e8m-p3b8"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/112485?format=json","vulnerability_id":"VCID-ed87-d3y2-wfck","summary":"Magento improper authorization vulnerability in the integrations module\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21026","reference_id":"","reference_type":"","scores":[{"value":"0.00679","scoring_system":"epss","scoring_elements":"0.71969","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21026"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497"},{"reference_url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21026","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21026"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/151862?format=json","purl":"pkg:composer/magento/community-edition@2.3.6-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7k8-hmqe-wufh"},{"vulnerability":"VCID-h64s-51sc-huga"},{"vulnerability":"VCID-hufp-fajk-n7gu"},{"vulnerability":"VCID-spjd-9z79-jueh"},{"vulnerability":"VCID-zubf-dqv7-xkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1k4q-2ttb-13hd"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-yvcy-4e8m-p3b8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"}],"aliases":["CVE-2021-21026","GHSA-crjc-2v9m-8w7r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ed87-d3y2-wfck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111283?format=json","vulnerability_id":"VCID-nm39-k1su-yyep","summary":"Magento vulnerable to a file upload restriction bypass\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to a file upload restriction bypass. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21014","reference_id":"","reference_type":"","scores":[{"value":"0.00372","scoring_system":"epss","scoring_elements":"0.59284","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21014"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497"},{"reference_url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21014","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21014"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/151862?format=json","purl":"pkg:composer/magento/community-edition@2.3.6-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7k8-hmqe-wufh"},{"vulnerability":"VCID-h64s-51sc-huga"},{"vulnerability":"VCID-hufp-fajk-n7gu"},{"vulnerability":"VCID-spjd-9z79-jueh"},{"vulnerability":"VCID-zubf-dqv7-xkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1k4q-2ttb-13hd"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-yvcy-4e8m-p3b8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"}],"aliases":["CVE-2021-21014","GHSA-269w-pqc7-68q9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nm39-k1su-yyep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54061?format=json","vulnerability_id":"VCID-spjd-9z79-jueh","summary":"OS Command Injection\nMagento is vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21015","reference_id":"","reference_type":"","scores":[{"value":"0.04856","scoring_system":"epss","scoring_elements":"0.89727","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21015"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497"},{"reference_url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21015","reference_id":"CVE-2021-21015","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21015"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/151862?format=json","purl":"pkg:composer/magento/community-edition@2.3.6-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7k8-hmqe-wufh"},{"vulnerability":"VCID-h64s-51sc-huga"},{"vulnerability":"VCID-hufp-fajk-n7gu"},{"vulnerability":"VCID-spjd-9z79-jueh"},{"vulnerability":"VCID-zubf-dqv7-xkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/77892?format=json","purl":"pkg:composer/magento/community-edition@2.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fgqe-h7ey-33bd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/79754?format=json","purl":"pkg:composer/magento/community-edition@2.4.1-p1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.1-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1k4q-2ttb-13hd"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-yvcy-4e8m-p3b8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"}],"aliases":["CVE-2021-21015","GHSA-w2p4-2c8c-2g7h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-spjd-9z79-jueh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111584?format=json","vulnerability_id":"VCID-ve4u-d5rz-wyab","summary":"Magento OS command injection via the WebAPI\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to OS command injection via the WebAPI. Successful exploitation could lead to remote code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21016","reference_id":"","reference_type":"","scores":[{"value":"0.04449","scoring_system":"epss","scoring_elements":"0.89248","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21016"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497"},{"reference_url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21016","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21016"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/151862?format=json","purl":"pkg:composer/magento/community-edition@2.3.6-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7k8-hmqe-wufh"},{"vulnerability":"VCID-h64s-51sc-huga"},{"vulnerability":"VCID-hufp-fajk-n7gu"},{"vulnerability":"VCID-spjd-9z79-jueh"},{"vulnerability":"VCID-zubf-dqv7-xkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1k4q-2ttb-13hd"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-yvcy-4e8m-p3b8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"}],"aliases":["CVE-2021-21016","GHSA-792f-c8mp-2cr5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ve4u-d5rz-wyab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111309?format=json","vulnerability_id":"VCID-w4uu-k7nk-a7hr","summary":"Magento cross-site request forgery (CSRF) vulnerability via the GraphQL API\nMagento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by a cross-site request forgery (CSRF) vulnerability via the GraphQL API. Successful exploitation could lead to unauthorized modification of customer metadata by an unauthenticated attacker. Access to the admin console is not required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21027","reference_id":"","reference_type":"","scores":[{"value":"0.00367","scoring_system":"epss","scoring_elements":"0.58918","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21027"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497"},{"reference_url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21027","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/151862?format=json","purl":"pkg:composer/magento/community-edition@2.3.6-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7k8-hmqe-wufh"},{"vulnerability":"VCID-h64s-51sc-huga"},{"vulnerability":"VCID-hufp-fajk-n7gu"},{"vulnerability":"VCID-spjd-9z79-jueh"},{"vulnerability":"VCID-zubf-dqv7-xkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1k4q-2ttb-13hd"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-yvcy-4e8m-p3b8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"}],"aliases":["CVE-2021-21027","GHSA-h4xc-577p-hgj9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w4uu-k7nk-a7hr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54062?format=json","vulnerability_id":"VCID-zubf-dqv7-xkf3","summary":"Cross-site Scripting\nMagento is vulnerable to Cross-Site Scripting in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21029","reference_id":"","reference_type":"","scores":[{"value":"0.43501","scoring_system":"epss","scoring_elements":"0.97581","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21029"},{"reference_url":"https://github.com/magento/magento2","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2"},{"reference_url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a2eb7e29ea92a8bbc86c3b6b81b59d8533088497"},{"reference_url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/magento/magento2/commit/a349e022c9ae070e7da262021f9ef182105aa00b"},{"reference_url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://helpx.adobe.com/security/products/magento/apsb21-08.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21029","reference_id":"CVE-2021-21029","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21029"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/151862?format=json","purl":"pkg:composer/magento/community-edition@2.3.6-p1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7k8-hmqe-wufh"},{"vulnerability":"VCID-h64s-51sc-huga"},{"vulnerability":"VCID-hufp-fajk-n7gu"},{"vulnerability":"VCID-spjd-9z79-jueh"},{"vulnerability":"VCID-zubf-dqv7-xkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/77892?format=json","purl":"pkg:composer/magento/community-edition@2.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fgqe-h7ey-33bd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/79754?format=json","purl":"pkg:composer/magento/community-edition@2.4.1-p1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.1-p1"},{"url":"http://public2.vulnerablecode.io/api/packages/58955?format=json","purl":"pkg:composer/magento/community-edition@2.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1k4q-2ttb-13hd"},{"vulnerability":"VCID-36ve-7wxt-z7fz"},{"vulnerability":"VCID-b5hn-f1qk-z7cu"},{"vulnerability":"VCID-nn21-hf8r-ykfd"},{"vulnerability":"VCID-yvcy-4e8m-p3b8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"}],"aliases":["CVE-2021-21029","GHSA-jwxh-wj79-ccm6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zubf-dqv7-xkf3"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/magento/community-edition@2.4.2"}